Set up container images
Find out how to integrate container image scanning with Sophos Cloud Optix.
The way you set Sophos Cloud Optix up to scan container images for vulnerabilities depends on where they are stored.
- Amazon Elastic Container Registries (ECR) and Microsoft Azure Container Registries (ACR).
You first need to add the AWS or Azure environment for the registries to Sophos Cloud Optix. The registries then appear in the list in Container Images, and you choose which registries to set up for scanning.
- Docker Hub registries.
Use the Add Docker Hub Registry assistant.
- GitHub and Bitbucket accounts (IaC).
You first need to add your Bitbucket or GitHub environments to Sophos Cloud Optix, then turn on container image scanning for IaC environments. Images identified in Dockerfile and Docker Compose files in those environments are submitted for scanning when you run a git push command.
- Images in your build pipeline.
Use the Sophos Cloud Optix REST API to scan images and collect the results.
You can delete or update registries in
.Each container image scanned by Sophos Cloud Optix is counted as a cloud asset for licensing.
If you delete a container image, the image and all related data are removed from Sophos Cloud Optix within a few hours.
Set up Amazon ECR or Microsoft ACR
You can check the status of your images on Container Images, under Scan Queue or Scanned Images.
Set up Docker Hub registries
Container images are fetched from the registry and queued for scanning.
You can check the status of your images on Container Images, under Scan Queue or Scanned Images.
Set up GitHub and Bitbucket (IaC) registries
To set up a GitHub or Bitbucket registry, do as follows:
You can check the status of your images on Container Images, under Scan Queue or Scanned Images.
To find the git repo reference of an added image, click Container Images, click an image name, then click Git Repo References.
Set up integration with your build pipeline
You can use the Sophos Cloud Optix API to integrate scanning with your pipeline. You use one API to run a container image scan, and another to get the result.
To turn on API use for your pipeline, do as follows:
- Go to DISCOVER and click .
- Go to Scan images in your build pipeline, click Enable APIs.
- appears.
- Follow the instructions to use the Sophos Cloud Optix REST API with your pipeline.
The container image scanning APIs are as follows:
- Submit an image for scanning: api/v1/image-scanning/submit-for-scan
- Get the results of a scan: api/v1/image-scanning/get-scan-result
For more details, see Getting Started With Cloud Optix REST API.