Set up container images

Find out how to integrate container image scanning with Sophos Cloud Optix.

The way you set Sophos Cloud Optix up to scan container images for vulnerabilities depends on where they are stored.

  • Amazon Elastic Container Registries (ECR) and Microsoft Azure Container Registries (ACR).

    You first need to add the AWS or Azure environment for the registries to Sophos Cloud Optix. The registries then appear in the list in Container Images, and you choose which registries to set up for scanning.

  • Docker Hub registries.

    Use the Add Docker Hub Registry assistant.

  • GitHub and Bitbucket accounts (IaC).

    You first need to add your Bitbucket or GitHub environments to Sophos Cloud Optix, then turn on container image scanning for IaC environments. Images identified in Dockerfile and Docker Compose files in those environments are submitted for scanning when you run a git push command.

  • Images in your build pipeline.

    Use the Sophos Cloud Optix REST API to scan images and collect the results.

You can delete or update registries in Container Images > Registries.

Each container image scanned by Sophos Cloud Optix is counted as a cloud asset for licensing.

If you delete a container image, the image and all related data are removed from Sophos Cloud Optix within a few hours.

Set up Amazon ECR or Microsoft ACR

To add an Amazon ECR or Microsoft ACR, do as follows:
  1. Go to DISCOVER and click Container Images > Setup.
  2. Go to Scan images from your container registries and click Add Registries.
    A list of registries that haven't been set up for image scanning appears.
  3. Click + to add a registry.
  4. In the dialog box that opens, enter your credentials and click Save. Sophos Cloud Optix can use either admin credentials or a service principal for Microsoft ACRs. See Azure Container Registry authentication with service principals.
    The registry is connected to Sophos Cloud Optix. Container images are fetched from the registry and queued for scanning.

You can check the status of your images on Container Images, under Scan Queue or Scanned Images.

Set up Docker Hub registries

To set up a Docker Hub registry, do as follows:
  1. Go to DISCOVER and click Container Images > Setup.
  2. Go to Scan images from your container registries and click Add Registries.
    Container Images > Registries appears.
  3. Click Add Docker Hub Registry.
  4. Enter your registry details in Add new Docker Hub Registry and click Add.
    The registry is added, and a corresponding environment is created. This is so that you can manage administrator access to it in Sophos Cloud Optix, using Environment Access Control.

Container images are fetched from the registry and queued for scanning.

You can check the status of your images on Container Images, under Scan Queue or Scanned Images.

Set up GitHub and Bitbucket (IaC) registries

To set up a GitHub or Bitbucket registry, do as follows:

  1. Go to DISCOVER and click Container Images > Setup.
  2. Go to Scan images from your IaC environments and click Enable IaC Environments.
    Settings > IaC Environments appears.
  3. Click Enable container image scanning.
  4. Click Add new environment > IaC.
    Add your cloud environment appears.
  5. Click Integrate with GitHub or Integrate with Bitbucket and follow the instructions.
    After integration, the next time you run a git push command, Sophos Cloud Optix scans for Dockerfiles (files with the dockerfile extension) and Docker Compose YAML files, and collects all the image names. Sophos Cloud Optix looks for these images in the registries you've added, and your Docker Hub registries, and submits them for scanning.

You can check the status of your images on Container Images, under Scan Queue or Scanned Images.

To find the git repo reference of an added image, click Container Images, click an image name, then click Git Repo References.

Set up integration with your build pipeline

You can use the Sophos Cloud Optix API to integrate scanning with your pipeline. You use one API to run a container image scan, and another to get the result.

To turn on API use for your pipeline, do as follows:

  1. Go to DISCOVER and click Container Images > Setup.
  2. Go to Scan images in your build pipeline, click Enable APIs.
  3. Integrations > Cloud Optix API appears.
  4. Follow the instructions to use the Sophos Cloud Optix REST API with your pipeline.

The container image scanning APIs are as follows:

  • Submit an image for scanning: api/v1/image-scanning/submit-for-scan
  • Get the results of a scan: api/v1/image-scanning/get-scan-result

For more details, see Getting Started With Cloud Optix REST API.