Skip to main content
Skip table of contents

Containers - Getting Started

Onboarding Flow


Follow these instructions to provision, configure, and remedy scan results of your container images.

  1. Sign up using the Container Security screen in AMP.

    1. This is where users will add their first Connector

  2. Configure your container registry or registries. 

    1. As an optional step, users can add any additional Connectors

    2. Install a sensor

      1. Currently, one sensor is needed to configure a registry.

    3. Add your registry or registries

      1. The number of registries will correspond to how your connectors are configured

        Once your container registry or registries are configured in the Armor Management Portal (AMP), the images are initially scanned.
  3. Review scan results

    1. Navigate to the Images tab in the Container Security screen of AMP.

    2. View the vulnerabilities for a container image

For information on Vulnerabilities, including filtering by Asset Type and Asset ID, managing exclusions, scan schedules and more, please see the Vulnerability Scanning documentation.

Sign Up for Container Security


To purchase Container Security, customers can visit the Container Security screen in the Armor Management Portal (AMP).

  1. Log into AMP

  2. In the left-hand menu, click "MARKETPLACE" to display the AMP Marketplace

  3. Navigate to the Security & Compliance section

  4. Click the Container Security card

If Container Security is not displayed in the AMP Marketplace, you may not have permission to access it. Please consult your account administrator for assistance.

After reviewing the features & benefits, proceed by clicking the Let's Get Started button. This action automatically generates an Armor Ticketing System (ATS) ticket, which is used to track setup of your Container Security subscription. Please anticipate an one (1) business day turnaround for Armor to provision your licenses and setup your account.

Once provisioning is complete, the next time you visit the Container Security section, you will be prompted to start using the solution and configure your first Connector.

Configure Your Public Cloud Container Registries


In the Armor Management Portal, the Containers section is separated into three tabs: Images, Registries, Connectors. For each public cloud registry you wish to configure, you will start by configuring its corresponding Connector. In addition, you will need to setup at least one container sensor, which provides the Armor security platform with visibility into your registries.

Container Security supports the following public cloud container registries:

  • AWS Elastic Container Registry (ECR)

  • Azure Container Registry

  • Google Cloud Container Registry

  • Docker Hub

Limitation on Supported AWS Regions

For now, the following AWS Regions are not yet supported when configuring a Container Registry within the Armor platform:

  • AWS GovCloud (US-East)

  • AWS GovCloud (US-West)

  • US East (Ohio)

Connectors


View Existing Connectors

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. Click the Connectors tab.

Column

Description

Name

The name given for the connector

ID

Identifying number for the connector

Status

Status of the connector

Create a New Connector

After you configure your first connector, use the following instructions to configure subsequent connectors:

  1. Click the New Connector button at the top-right of the screen.

  2. Armor enables users to create a Connector by Registry Type. Use the list to select the appropriate Registry Type.

    1. AWS ECR

    2. Azure ACR

    3. Google CR

    4. Docker Hub

  3. Click the NEXT button.

  4. The Connector Details form is predetermined by the Registry Type selected. Fill out the appropriate information requested per your chosen Registry Type.

    ProviderRequired Fields
    AWS
    • Connector Name
    • Role ARN

      For instructions on how to create the AWS Role ARN, click here.

    Azure
    • Connector Name
    • Application ID
    • Client Secrets

      For instructions on how to create the Application ID and Client Secrets, click here.

    Docker
    • Connector Name
    • Username
    • Password
    Google
    • Connector Name
    • Config File

      For instructions on how to create the Connector Name and Config File, click here.


  5. Click the NEXT button.

  6. Confirm the values below before submitting.

    1. Click the DONE button if correct.

    2. Use the BACK button to correct previously entered information.

  7. Click the DONE button.

Delete an Existing Connector

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. Click the Connectors tab.

  4. Click the

Sensors


Ahead of configuring container registries, at least one container sensor must be installed in advance. The Armor Management Portal (AMP) will ensure you have completed sensor installation ahead of configuring your first registry.

Install a Container Sensor

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. Click the Registries tab.

  4. Click the New button at the top-right of the screen.

  5. In the button options, select New Sensor.

  6. In the displayed aside, select the registry provider where you expect to install the container sensor

  7. The aside will refresh to display:

    1. A button for downloading the sensor installation package

    2. Step-by-step CLI commands for installing the sensor on the selected registry provider

For information on Container provider-specific instructions, see the following documentation.

Uninstall A Container Sensor

  1. Same steps as Install a Container Sensor

  2. Download the installation package

  3. Extract its contents. Within the package = uninstallsensor.sh script

  4. Depending on your Docker host configurations:

    1. Host is configured to communicate over docker.sock: run the following command: ./uninstallsensor.sh -s

    2. Host is configured to communicate over TCP socket

      1. Substitute the address on which Docker daemon is configured to listen

      2. Run the following command: ./uninstallsensor.sh DockerHost=<<IPv4 address or FQDN>:<Port#>> -s

  5. Follow the on-screen prompts to uninstall the sensor.

    1. If prompted, Armor recommends not to clear the persistent storage.

Registries


Once you have configured a connector, you need to configure a registry.

View Existing Registries

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. Click the Registries tab.

Column

Description

Registry


Total Repositories


Last Scanned


Total Images


Vulnerabilities


Status


Add a New Registry

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. Click the Registries tab.

  4. Click the New button at the top-right of the screen.

  5. In the button options, select New Registry.

Scan The Contents Of Your Registries

Once you have configured a registry, the Armor security platform begins to review its content. Based on the repository names and tags provided, matching container images are cataloged then scanned for vulnerabilities. Initial scan results are typically available within 4 hours, while refreshed results are available on a daily basis.

As Armor's security platform discovers container images and their vulnerabilities, your scan results can be viewed under the Images tab of the Container Security section.

Vulnerabilities


Take Action to Remediate Vulnerabilities

The Images tab of the Container Security section catalogs your images, while the Vulnerability Scanning section allows you to manage their vulnerabilities alongside those of other assets like virtual machines.

The Vulnerability Scanning section can be filtered to show vulnerabilities for a single container image at a time and/or different severities.

Images


View Existing Container Images

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. The Images tab is displayed by default.

Column

Description

Image ID


Repository


Registry


Last Scanned


Tags


Vulnerabilities


Status


View Vulnerabilities for a Single Container Image

  1. In the Armor Management Portal (AMP), in the left-side navigation, click Security.

  2. Click Container Security.

  3. The Images tab is displayed by default.

  4. For the container image you wish to review, hover to the right of its name to display a contextual menu icon.

  5. Click the icon, then select View Vulnerabilities.

  6. You will be redirected from the Container Security section to the Vulnerability Scanning section, with an Asset ID filter being enforced.

The Asset ID filter limits the vulnerability scan results to those applicable to the current container image. It works in combination with other searches & filters currently in-effect, and it will continue to be applied until cleared.

For instructions on how to manage your vulnerabilities within the Vulnerability Scanning section, please visit our Vulnerability Scanning documentation module.

Containers Documentation

Armor Anywhere for Containers

Containers - Getting Started

Install and Manage

Containers FAQ

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.