Securing Containers in Google Cloud Artifact Registry with Qualys
Container software supply chain is an area of concern for security teams in large and small enterprises because developers often make use of container images from a variety of public repositories. A single insecure container image can be instantiated several times and lead to a wide, diffused attack surface. A comprehensive container security program involves a defense-in-depth approach with comprehensive security assessment and runtime defense across the build-ship-run container lifecycle. As part of this, a registry becomes an effective security control point for the container artifact software supply chain.
Google’s Cloud’s new Artifact Registry provides a convenient, fully managed service that allows customers to have a central repository for all their software artifacts. With the latest release of Qualys Container Security, Artifact Registry is a new supported container registry type. Customers can set up regular scans of container artifacts in Artifact Registry in line with their security policies. Google Artifact Registry is now generally available.
Image Scanning Workflow
Follow these steps to configure image scanning workflow in Google Artifact Registry with Qualys Container Security:
#1 Set up Registry for Scanning in Qualys Container Security
Artifact Registry is a new supported Registry type. Go to Assets > Registries > New Registry. Choose Artifact Registry from the Registry Type menu and then provide registry information and scan settings.
#2 Provide Registry Information
Provide details about the registry and the connector that will be used for authentication. In the URL field, enter the location where your registry is located (e.g. https://us-west2-docker.pkg.dev). In the registry field, enter the name of the Artifact Registry repository (e.g. docker-v2-repo). You’ll need to create a new connector for connecting to your Google Cloud Platform account. Click the Create New button to create a new connector. You’ll see step-by-step instructions on the screen. Once added, the connector Id and project Id will be auto filled in the Registry Information details.
#3 Configure Scan Settings
Provide scan settings for scanning images in your Google Artifact Registry repositories. These are the same scan settings as other registry types.
Once the scan job is setup, Qualys Container Security scans all images in the Google Artifact Registry as per the criteria in the scan job.
Customers can then leverage the security posture of these container images from Qualys (UI, API) for security workflows like container deployment decisions and maintaining registry hygiene.
Resources
- Qualys Partners with Google Cloud to Add Container Security Support for Google Cloud Artifact Registry
- About Container Security
- Container Security User Guide
Please contact your Qualys Technical Account Manager (TAM) to get access to a free trial of Qualys Container Security!