Managing Container Connections

Feature availability notice

Rapid7 no longer offers Container Security for new InsightVM customers. This feature is available to eligible InsightVM users only. If interested in this feature, see our Cloud Risk Complete offering.

You can view and manage your current registry connections and create new connections from the Settings page for connections. You can also set up connections to your ticketing server to map each remediation status to a project status in your ticketing program.

Connection settings

To view your connection settings, click Management or Management Connections on the Repository Details page. On this page, you can view your current connections as well as add additional connections. Manage container connections to view the status of your ticketing and registry connections and to add additional supported registries. Registries allow you to push container images without installing or scaling additional infrastructure. This reduces download times and allows you to distribute images faster. Although container hosts are a useful tool they come with risks. InsightVM helps identify the vulnerabilities associated with container use.

Supported registries

The following registries are supported:

If your registry is not listed, it can still be used if it is compatible with Docker Registry HTTP API V2.

Viewing connection settings

You can view and manage your current registry connections and create new connections from the Settings page for connections. To access the "Settings" page, click the Manage Connections button on the Repository Details page.

The Connections area displays all of your current connections and lets you add additional connections.

  • To view all of your connections in the connection status area, click All.
  • To view only your ticketing connections in the connection status area, click Ticketing.
  • To view specific ticketing connections, click its name in the "Ticketing" area.
  • To view all of your registry connections in the connection status area, click Registries.
  • To view all of the connections for a specific registry, click its name in the "Registries" section.

Ticketing server connections

From the Settings page, you can also set up connections to your ticketing server to map each remediation status to a project status in your ticketing program.

Viewing the connection status

The connection status area lets you view, edit, and delete your current connections. This area contains the name of the connection, connection status, the type of connection, and repository credentials.

Connections can have one of the following statuses:

Connected
Based on this configuration, containers are synchronized to InsightVM based on your current scan schedule.
Error Authorization failed
Your authorization credentials may not be valid. See Editing a registry connection for more information.
Not found
The specified registry is not found. See Adding a registry connection to add a connection.
SSL Handshake
Your SSL Certificate may not be valid.
Unknown
This is an unidentified error. Please contact our support team for assistance.

Adding a repository configuration

You can add a repository configuration to a registry connection if you have limited access to specific repositories within a registry. This should only be used if you cannot access all of your available repositories with a single credential.

  1. From the "Settings" page, locate the registry connection you want to modify and click Edit.
  2. Click Repositories Connection Settings.
  3. Click New Configuration and complete the fields.
  4. Test the connection. If the test is successful, a success notification appears. If the test fails, an error notification appears. Check your credentials or connectivity and try again.
    • If the test is successful, click Save.
    • If the test is unsuccessful, a notification error appears. Check your credentials or connectivity and try again. When the test is successful, click Save.

Avoiding password and key errors

When a user tests a container connection before saving it, passwords and keys are cleared. This will cause an error to display even when a test is successful. Re-paste passwords and keys back into the configuration before saving to avoid this error.

Adding a registry connection of the same type

You can add an additional registry of the same type if you want to restrict access to a specific repository and not sync all the available repos for the original account, and then add a repository connection. See Adding a Repository Connection for more information.

To add a registry connection of the same type:

  1. From the "Settings" page, locate the registry connection you want to add and click Add.
  2. On the Add Registry panel, click Select an existing registry connection and select a registry from the dropdown list.
  3. Click OK.

Editing a registry connection

You can edit an existing registry connection if you need to change the connection settings.

To edit a registry connection:

  1. From the "Settings" page, locate the registry connection you want to modify and click Edit.
  2. From the "Edit Registry" panel, click Registry Connection Settings.
  3. Edit the appropriate information.
  4. Test the connection before you save it. If the test is successful, a success notification appears. If the test fails,an error notification appears. Check your credentials or connectivity and try again.

Avoiding password and key errors

When a user tests a container connection before saving it, passwords and keys are cleared. This will cause an error to display even when a test is successful. Re-paste passwords and keys back into the configuration before saving to avoid this error.

  1. Click Save.

You can add an additional registry of the same type if you want to restrict access to a specific repository and not sync all the available repos for the original account, and then add a repository connection.

Deleting a registry connection

You can delete a connection at any time. You may want to delete a connection that has an error that you cannot repair or is no longer needed. If you delete a connection, you may have to assess the associated image and create a new connection if necessary.

To delete a connection:

  • From the Settings page, find the connection you want to remove and delete it. When the confirmation message appears, click Continue to delete it.

Modifying the registry connection fields

Use the following information for your specific registry to create or edit your registry connections.

Best Practice: Read-only credentials

As a best practice, we recommend connecting registries using credentials that are provisioned as read-only. This will ensure that credentialed users do not make any unintended or undesirable changes to a repository.

Adding Supported Registries

Amazon ECR

ECR registries are saved using the following URI format: <aws_account_id>.dkr.ecr.<region>.amazonaws.com. For example, 1234567890.dkr.ecr.us-east-1.amazonaws.com. InsightVM requires read-only access to ECR to list repositories, images, tags, and to pull images. Here are the required policy actions for accessing all repositories and images in the registry:

  • ecr:GetAuthorizationToken
  • ecr:BatchCheckLayerAvailability
  • ecr:GetDownloadUrlForLayer
  • ecr:DescribeRepositories
  • ecr:ListImages
  • ecr:DescribeImages
  • ecr:BatchGetImage

For more information on ECR IAM policies, see Amazon ECR IAM Policies and Roles.

If you use repository policies to control docker push/pull access, InsightVM still requires the following policy actions to be allowed in order to list repositories and images:

  • ecr:GetAuthorizationToken
  • ecr:DescribeRepositories
  • ecr:ListImages
  • ecr:DescribeImages

For more information on ECR repository policies, see Amazon ECR Repository Policies.

To add an Amazon ECR registry connection:

  1. Enter a name and the account ID.
  2. select the region from the drop-down.
  3. In the Global credential area, enter the Access Key and Secret Key.

Azure Container Registry

  1. Navigate to the Azure Active Directory. Click App registrations > New Registration.
  2. Enter the name InsightVM for the application.
  3. Under supported account types select Accounts in this organizational directory only (Default Directory only - Single tenant). Use https://insight.rapid7.com as the Redirect URL. Save the application ID.
  4. Click Add Scope. Fill out the form with the necessary information.
  5. Switch the state toggle to enabled. Click Add.
  6. Navigate to API permissions > Add a permission > My API’s. Once in My API's select your application and the API you exposed. In this example, the application is InsightVM.
  7. Select Delegated Permission. Click Add.
  8. Click New Client Secret. Select an expiration period. Fill out the description form. Click Add.
  9. Make note of the secret value in a secure location where it can be referenced later.

Lost Secret Values

If your secret value is lost you will need to generate a new secret value and repeat this process from the beginning.

  1. The InsightVM application requires the Reader and AcrPull roles in order to connect to the Azure container registry. To make these permission changes, navigate to the Azure Container Registry Dashboard and click Access Control (IAM) > Add. Select the Reader role. Search for and select the application name InsightVM that you previously saved.
  2. Repeat this process for the AcrPull role. Save the permission changes.
  3. Navigate to the Exposure Analytics Partner Connections page. Create a new Azure Registry. Fill in the required fields and click Save. The field Registry Name on Azure must match the name of the Azure Container Registry resource you wish to connect.

Docker Hub

To create your registry connection, you'll need to provide a name, and in the "Global Credential" area, you'll need to enter a username and password.

Privately Hosted Docker Registry

All registry connections use HTTPS and require a valid, trusted certificate. If you need to configure firewall rules that will allow traffic to your private registry see Configure communications with the Insight Platform.

To create your registry connection, you'll need to enter a name, host, and port.

Google Container Registry

Before proceeding, confirm that you already have a Google Container Registry. You'll need to create a service account to connect the registry to InsightVM.

Create Your Google Registry Service Account

We recommend creating a new Service Account to connect to InsightVM to use our Containers Security feature.

  1. In Google Cloud Platform, open the project that hosts your container registry.
  2. Navigate to Container Registry.
    • Note the hostname(s) for your images. You will need to create a separate connection for each multi-region hostname used in your registry.
  3. Navigate to IAM & Admin > Service Accounts.
  4. Select + Create Service Account.
  5. Create a new service account in the project that hosts your container registry.
  6. Select Storage Object Viewer in the dropdown menu. Click Continue to confirm your selection.
  7. Click Done to save your new service account.
  8. Find the row with your new account.
  9. Click the 3 vertical dots at the end of the row (under Actions) to reveal a dropdown menu.
  10. Navigate to Manage Keys > Add Key.
  11. Select JSON under Key type.
  12. Click Create and download the JSON key document. You’ll be required to paste this key into InsightVM to connect to Your Google Container Registry.
Optional: Verify Service Account Access

These optional steps will confirm that your new service account can access the storage bucket. If your new service account does not have permissions, you’ll have to manually add them.

  1. Navigate to Cloud Storage.
  2. Find the row that has the bucket(s) that contain your images.

Bucket naming conventions

The bucket containing your images is named artifacts.[PROJECT-ID].appspot.com, or [REGION].artifacts.[PROJECT-ID].appspot.com if you use regional registries.

  1. Click the 3 vertical dots at the end of the row to reveal a dropdown menu.
  2. Click Edit bucket permissions.
  3. Click Storage Object Viewer to display the accounts that can read the buckets. If your service account has access, you’ll see it listed. If you do not see your account, you’ll have to manually add it.
Optional: Manually Add Service Account Access

If you do not see your service account listed, you will need to manually add it. To do this, you’ll need to add the service account email as a member of the Storage Object Viewer role:

  1. Find the row that has the bucket(s) that contain your images.
  2. Click the 3 vertical dots at the end of the row to reveal a dropdown menu.
  3. Click Edit bucket permissions.
  4. Click the +Add members.
  5. Enter the service account email address in the New Members field.
  6. Select the role Storage Object Viewer in the dropdown menu.
  7. Click Save.
  8. Verify that the service account has been added by checking under Storage Object Viewer again.

Connect InsightVM to Your Google Container Registry

In InsightVM:

  1. Navigate to Cog icon > Connections tab > Google Container Registry > Add.
  2. Enter the Name, GCR Host (multi-region hostname), and Project ID that hosts your container registry.
  3. Copy and paste the entire contents of the downloaded JSON key document in the Key field.
  4. Click Save.

Quay

You must have a Quay Organization account with access to your container repositories for this configuration to work. User accounts will not work.

  1. Navigate to the "Applications" tab in your organization account.
  2. Click Create New Application and enter a name for the application.
  3. For Homepage URL, enter https://insight.rapid7.com as both the Homepage URL and the Redirect/Callback URL Prefix.
  4. Save your changes.
  5. Go to the "Generate Token" tab for your newly created application. Select View all visible repositories, click Generate Access Token, and save the generated token for reference.
  6. In InsightVM, enter a name for the registry. Then, enter the name of the Quay Organization under which you granted the access token.
  7. In the "Key" field, enter the generated token.
  8. Save your changes.

Snyk

Container Security assessments report Ruby vulnerabilities via an integration with the Snyk vulnerability database. Snyk’s platform is built to be easily used by developers to build software securely. Synk enables you to find, prioritize, and fix vulnerabilities in your open source dependencies throughout your development process.

Find out if you have vulnerabilities that put you at risk.