Skip to content

Set up container images

You can integrate container image scanning with Sophos Cloud Optix.

The way you set Sophos Cloud Optix up to scan container images for vulnerabilities depends on where they are stored.

You can set up containers in the following locations:

  • Amazon Elastic Container Registries (ECR)
  • Microsoft Azure Container Registries (ACR).
  • Docker Hub registries.
  • GitHub and Bitbucket accounts (IaC).
  • Images in your build pipeline.

You can delete or update registries in Container Images > Registries.

Each container image scanned by Sophos Cloud Optix is counted as a cloud asset for licensing.

If you delete a container image, the image and all related data are removed from Sophos Cloud Optix within a few hours.

Set up Amazon ECR or Microsoft ACR

Sophos Cloud Optix can use either admin credentials or a service principal for Microsoft ACRs. See Azure Container Registry authentication with service principals.

To add an Amazon ECR or Microsoft ACR, do as follows:

  1. Click Container Images > Setup.
  2. Go to Scan images from your container registries and click Add Registries.

    A list of registries that haven't been set up for image scanning appears.

  3. Click + to add a registry.

  4. In the dialog box that opens, enter your credentials and click Save.

    The registry is connected to Sophos Cloud Optix. Container images are fetched from the registry and queued for scanning.

You can check the status of your images on Container Images, under Scan Queue or Scanned Images.

Set up Docker Hub registries

To set up a Docker Hub registry, do as follows:

  1. Click Container Images > Setup.
  2. Go to Scan images from your container registries and click Add Registries. Container Images > Registries appears.
  3. Click Add Docker Hub Registry.
  4. Enter your registry details in Add new Docker Hub Registry and click Add.

    The registry is added, and a corresponding environment is created. You can then manage administrator access to it in Sophos Cloud Optix, using Environment Access Control.

    Container images are fetched from the registry and queued for scanning.

You can check the status of your images on Container Images, under Scan Queue or Scanned Images.

Set up GitHub and Bitbucket (IaC) registries

To set up a GitHub or Bitbucket registry, do as follows:

  1. Click Container Images > Setup.
  2. Go to Scan images from your IaC environments and click Enable IaC Environments.
  3. Click Enable container image scanning.
  4. Click Add new environment > IaC. Add your cloud environment appears.
  5. Click Integrate with GitHub or Integrate with Bitbucket and follow the instructions.

After integration, the next time you run a git push command, Sophos Cloud Optix scans for Dockerfiles (files with the dockerfile extension) and Docker Compose YAML files, and collects all the image names. Sophos Cloud Optix looks for these images in the registries you've added, and your Docker Hub registries, and submits them for scanning.

You can check the status of your images on Container Images, under Scan Queue or Scanned Images.

To find the git repo reference of an added image, click Container Images, click an image name, then click Git Repo References.

To find out how to add code repositories to Sophos Cloud Optix using GitHub, see Use GitHub.

To find out how to add code repositories using Bitbucket, see Use Bitbucket.

Set up integration with your build pipeline

To turn on API use for your pipeline, do as follows:

  1. Click Container Images > Setup.
  2. Go to Scan images in your build pipeline, click Enable APIs.
  3. Integrations > Cloud Optix API appears.
  4. Follow the instructions to use the Sophos Cloud Optix REST API with your pipeline.

The container image scanning APIs are as follows:

  • Submit an image for scanning: api/v1/image-scanning/submit-for-scan
  • Get the results of a scan: api/v1/image-scanning/get-scan-result

For more information on Sophos Cloud Optix REST API, see the APIs for Image Scanning section of Getting Started With Cloud Optix REST API.