Onboarding Flow
Follow these instructions to provision, configure, and remedy scan results of your container images.
- Sign up using the Container Security screen in AMP.
- This is where users will add their first Connector
- Configure your container registry or registries.
- As an optional step, users can add any additional Connectors
- Install a sensor
- Currently, one sensor is needed to configure a registry.
- Add your registry or registries
The number of registries will correspond to how your connectors are configured
Info Once your container registry or registries are configured in the Armor Management Portal (AMP), the images are initially scanned.
- Review scan results
For information on Vulnerabilities, including filtering by Asset Type and Asset ID, managing exclusions, scan schedules and more, please see the Vulnerability Scanning documentation.
Anchor | ||||
---|---|---|---|---|
|
To purchase Container Security, customers can visit the Container Security screen in the Armor Management Portal (AMP).
Log into AMP
In the left-hand menu, click "MARKETPLACE" to display the AMP Marketplace
Navigate to the Security & Compliance section
Click the Container Security card
If Container Security is not displayed in the AMP Marketplace, you may not have permission to access it. Please consult your account administrator for assistance.
After reviewing the features & benefits, proceed by clicking the Let's Get Started button. This action automatically generates an Armor Ticketing System (ATS) ticket, which is used to track setup of your Container Security subscription. Please anticipate an one (1) business day turnaround for Armor to provision your licenses and setup your account.
Once provisioning is complete, the next time you visit the Container Security section, you will be prompted to start using the solution and configure your first Connector.
Anchor | ||||
---|---|---|---|---|
|
In the Armor Management Portal, the Containers section is separated into three tabs: Images, Registries, Connectors. For each public cloud registry you wish to configure, you will start by configuring its corresponding Connector. In addition, you will need to setup at least one container sensor, which provides the Armor security platform with visibility into your registries.
Container Security supports the following public cloud container registries:
AWS Elastic Container Registry (ECR)
Azure Container Registry
Google Cloud Container Registry
Docker Hub
Note |
---|
Limitation on Supported AWS Regions For now, the following AWS Regions are not yet supported when configuring a Container Registry within the Armor platform:
|
Connectors
View Existing Connectors
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Connectors tab.
Column | Description |
---|---|
Name | The name given for the connector |
ID | Identifying number for the connector |
Status | Status of the connector |
Anchor | ||||
---|---|---|---|---|
|
After you configure your first connector, use the following instructions to configure subsequent connectors:
Click the New Connector button at the top-right of the screen.
Armor enables users to create a Connector by Registry Type. Use the list to select the appropriate Registry Type.
AWS ECR
Azure ACR
Google CR
Docker Hub
Click the NEXT button.
The Connector Details form is predetermined by the Registry Type selected. Fill out the appropriate information requested per your chosen Registry Type.
Provider Required Fields AWS - Connector Name
Role ARN
Info For instructions on how to create the AWS Role ARN, click here.
Azure - Connector Name
- Application ID
Client Secrets
Info For instructions on how to create the Application ID and Client Secrets, click here.
Docker - Connector Name
- Username
- Password
Google - Connector Name
Config File
Info For instructions on how to create the Connector Name and Config File, click here.
Click the NEXT button.
Confirm the values below before submitting.
Click the DONE button if correct.
Use the BACK button to correct previously entered information.
Click the DONE button.
Delete an Existing Connector
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Connectors tab.
- Click the
Sensors
Ahead of configuring container registries, at least one container sensor must be installed in advance. The Armor Management Portal (AMP) will ensure you have completed sensor installation ahead of configuring your first registry.
Anchor | ||||
---|---|---|---|---|
|
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Click the New button at the top-right of the screen.
In the button options, select New Sensor.
In the displayed aside, select the registry provider where you expect to install the container sensor
The aside will refresh to display:
A button for downloading the sensor installation package
Step-by-step CLI commands for installing the sensor on the selected registry provider
Info |
---|
For information on Container provider-specific instructions, see the following documentation. |
Uninstall A Container Sensor
- Same steps as Install a Container Sensor
- Download the installation package
- Extract its contents. Within the package = uninstallsensor.sh script
- Depending on your Docker host configurations:
- Host is configured to communicate over docker.sock: run the following command:
./uninstallsensor.sh -s
- Host is configured to communicate over TCP socket
- Substitute the address on which Docker daemon is configured to listen
- Run the following command:
./uninstallsensor.sh DockerHost=<<IPv4 address or FQDN>:<Port#>> -s
- Host is configured to communicate over docker.sock: run the following command:
- Follow the on-screen prompts to uninstall the sensor.
- If prompted, Armor recommends not to clear the persistent storage.
Registries
Once you have configured a connector, you need to configure a registry.
View Existing Registries
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Column | Description |
---|---|
Registry | |
Total Repositories | |
Last Scanned | |
Total Images | |
Vulnerabilities | |
Status |
Anchor | ||||
---|---|---|---|---|
|
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Click the New button at the top-right of the screen.
In the button options, select New Registry.
Scan The Contents Of Your Registries
Once you have configured a registry, the Armor security platform begins to review its content. Based on the repository names and tags provided, matching container images are cataloged then scanned for vulnerabilities. Initial scan results are typically available within 4 hours, while refreshed results are available on a daily basis.
As Armor's security platform discovers container images and their vulnerabilities, your scan results can be viewed under the Images tab of the Container Security section.
Vulnerabilities
Take Action to Remediate Vulnerabilities
The Images tab of the Container Security section catalogs your images, while the Vulnerability Scanning section allows you to manage their vulnerabilities alongside those of other assets like virtual machines.
The Vulnerability Scanning section can be filtered to show vulnerabilities for a single container image at a time and/or different severities.
Images
View Existing Container Images
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
The Images tab is displayed by default.
Column | Description |
---|---|
Image ID | |
Repository | |
Registry | |
Last Scanned | |
Tags | |
Vulnerabilities | |
Status |
Anchor | ||||
---|---|---|---|---|
|
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
The Images tab is displayed by default.
For the container image you wish to review, hover to the right of its name to display a contextual menu icon.
Click the icon, then select View Vulnerabilities.
You will be redirected from the Container Security section to the Vulnerability Scanning section, with an Asset ID filter being enforced.
The Asset ID filter limits the vulnerability scan results to those applicable to the current container image. It works in combination with other searches & filters currently in-effect, and it will continue to be applied until cleared.
For instructions on how to manage your vulnerabilities within the Vulnerability Scanning section, please visit our Vulnerability Scanning documentation module.
Containers Documentation