Containers - Getting Started
Onboarding Flow
Follow these instructions to provision, configure, and remedy scan results of your container images.
Sign up using the Container Security screen in AMP.
This is where users will add their first Connector
Configure your container registry or registries.
As an optional step, users can add any additional Connectors
Currently, one sensor is needed to configure a registry.
Add your registry or registries
The number of registries will correspond to how your connectors are configured
Once your container registry or registries are configured in the Armor Management Portal (AMP), the images are initially scanned.
Review scan results
For information on Vulnerabilities, including filtering by Asset Type and Asset ID, managing exclusions, scan schedules and more, please see the Vulnerability Scanning documentation.
Sign Up for Container Security
To purchase Container Security, customers can visit the Container Security screen in the Armor Management Portal (AMP).
Log into AMP
In the left-hand menu, click "MARKETPLACE" to display the AMP Marketplace
Navigate to the Security & Compliance section
Click the Container Security card
If Container Security is not displayed in the AMP Marketplace, you may not have permission to access it. Please consult your account administrator for assistance.
After reviewing the features & benefits, proceed by clicking the Let's Get Started button. This action automatically generates an Armor Ticketing System (ATS) ticket, which is used to track setup of your Container Security subscription. Please anticipate an one (1) business day turnaround for Armor to provision your licenses and setup your account.
Once provisioning is complete, the next time you visit the Container Security section, you will be prompted to start using the solution and configure your first Connector.
Configure Your Public Cloud Container Registries
In the Armor Management Portal, the Containers section is separated into three tabs: Images, Registries, Connectors. For each public cloud registry you wish to configure, you will start by configuring its corresponding Connector. In addition, you will need to setup at least one container sensor, which provides the Armor security platform with visibility into your registries.
Container Security supports the following public cloud container registries:
AWS Elastic Container Registry (ECR)
Azure Container Registry
Google Cloud Container Registry
Docker Hub
Limitation on Supported AWS Regions
For now, the following AWS Regions are not yet supported when configuring a Container Registry within the Armor platform:
AWS GovCloud (US-East)
AWS GovCloud (US-West)
US East (Ohio)
Connectors
View Existing Connectors
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Connectors tab.
Column | Description |
---|---|
Name | The name given for the connector |
ID | Identifying number for the connector |
Status | Status of the connector |
Create a New Connector
After you configure your first connector, use the following instructions to configure subsequent connectors:
Click the New Connector button at the top-right of the screen.
Armor enables users to create a Connector by Registry Type. Use the list to select the appropriate Registry Type.
AWS ECR
Azure ACR
Google CR
Docker Hub
Click the NEXT button.
The Connector Details form is predetermined by the Registry Type selected. Fill out the appropriate information requested per your chosen Registry Type.
Provider Required Fields AWS - Connector Name
Role ARN
For instructions on how to create the AWS Role ARN, click here.
Azure - Connector Name
- Application ID
Client Secrets
For instructions on how to create the Application ID and Client Secrets, click here.
Docker - Connector Name
- Username
- Password
Google - Connector Name
Config File
For instructions on how to create the Connector Name and Config File, click here.
Click the NEXT button.
Confirm the values below before submitting.
Click the DONE button if correct.
Use the BACK button to correct previously entered information.
Click the DONE button.
Delete an Existing Connector
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Connectors tab.
Click the
Sensors
Ahead of configuring container registries, at least one container sensor must be installed in advance. The Armor Management Portal (AMP) will ensure you have completed sensor installation ahead of configuring your first registry.
Install a Container Sensor
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Click the New button at the top-right of the screen.
In the button options, select New Sensor.
In the displayed aside, select the registry provider where you expect to install the container sensor
The aside will refresh to display:
A button for downloading the sensor installation package
Step-by-step CLI commands for installing the sensor on the selected registry provider
For information on Container provider-specific instructions, see the following documentation.
Uninstall A Container Sensor
Same steps as Install a Container Sensor
Download the installation package
Extract its contents. Within the package = uninstallsensor.sh script
Depending on your Docker host configurations:
Host is configured to communicate over docker.sock: run the following command:
./uninstallsensor.sh -s
Host is configured to communicate over TCP socket
Substitute the address on which Docker daemon is configured to listen
Run the following command:
./uninstallsensor.sh DockerHost=<<IPv4 address or FQDN>:<Port#>> -s
Follow the on-screen prompts to uninstall the sensor.
If prompted, Armor recommends not to clear the persistent storage.
Registries
Once you have configured a connector, you need to configure a registry.
View Existing Registries
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Column | Description |
---|---|
Registry | |
Total Repositories | |
Last Scanned | |
Total Images | |
Vulnerabilities | |
Status |
Add a New Registry
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
Click the Registries tab.
Click the New button at the top-right of the screen.
In the button options, select New Registry.
Scan The Contents Of Your Registries
Once you have configured a registry, the Armor security platform begins to review its content. Based on the repository names and tags provided, matching container images are cataloged then scanned for vulnerabilities. Initial scan results are typically available within 4 hours, while refreshed results are available on a daily basis.
As Armor's security platform discovers container images and their vulnerabilities, your scan results can be viewed under the Images tab of the Container Security section.
Vulnerabilities
Take Action to Remediate Vulnerabilities
The Images tab of the Container Security section catalogs your images, while the Vulnerability Scanning section allows you to manage their vulnerabilities alongside those of other assets like virtual machines.
The Vulnerability Scanning section can be filtered to show vulnerabilities for a single container image at a time and/or different severities.
Images
View Existing Container Images
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
The Images tab is displayed by default.
Column | Description |
---|---|
Image ID | |
Repository | |
Registry | |
Last Scanned | |
Tags | |
Vulnerabilities | |
Status |
View Vulnerabilities for a Single Container Image
In the Armor Management Portal (AMP), in the left-side navigation, click Security.
Click Container Security.
The Images tab is displayed by default.
For the container image you wish to review, hover to the right of its name to display a contextual menu icon.
Click the icon, then select View Vulnerabilities.
You will be redirected from the Container Security section to the Vulnerability Scanning section, with an Asset ID filter being enforced.
The Asset ID filter limits the vulnerability scan results to those applicable to the current container image. It works in combination with other searches & filters currently in-effect, and it will continue to be applied until cleared.
For instructions on how to manage your vulnerabilities within the Vulnerability Scanning section, please visit our Vulnerability Scanning documentation module.
Containers Documentation