Prisma Cloud Compute : How to Configure Alibaba Cloud Container Registry (ACR) For Image Scanning?

1. How to Set up Alibaba Cloud Container Registry (ACR) 
2. How to Push an Image in ACR using ‘Docker Push’
3. How to Configure ACR Registry in Prisma Cloud Compute for Successful Scan
4. Common Misconfigurations resulting in Scan Errors

• Prisma Cloud Compute (SaaS and Self-Hosted)
• Alibaba Cloud Container Registry (ACR) - Personal Edition

1. How to Set up Alibaba Cloud Container Registry (ACR)

• Login to Alibaba Cloud Console

• Access the Container Registry section

• For this Lab example, we enable Container Registry Personal Edition (It will ask you to allow Permission AliyunContainerRegistryReadOnly)

Note : You can select Enterprise Edition as per your business requirements

• Set Password under ‘Access Credential’ to login to your Container Registry instance (to be used for later purpose)

• Create a Namespace - Allows you to effectively manage a collection of repositories by uniquely identifying them

• By default, a Namespace of Repository Type ‘Private’ is created (can be changed to Public depending upon your business needs)

• Create a Repository selecting the Namespace created, Repository Type (Private in our case) with a Repository Name (Eg. alibaba-registry) 

• Select the Source of Code for the Repository (Eg. Local Repository selected in our case)

• Once done, Alibaba Cloud will create a unique Endpoint URL for your Registry : Registry URL / Namespace / Repo-name 
• As shown under Details Tab, Copy the Docker Commands (to be used later)!

12  |  © 2023 Palo

• Currently, we have no Image Tags in our ACR

13  | . All rights reserved.

2. How to Push an Image in ACR using ‘Docker Push’

• Login to Alibaba Cloud Docker Registry using the Credential created earlier 

• Tag an Image (to be pushed) with the Registry URL using any existing Image ID (Run ‘docker images’ to get the Image ID)

• Confirm tagging with ‘Docker images’ command

• Push the Image to ACR using ‘Docker Push’ command

• You can confirm whether the Image has been pushed successfully by checking under Tags section of Container Registry

3. How to Configure ACR Registry in Prisma Cloud Compute for Successful Scan

• Configure the same Alibaba Cloud Credential in Prisma Cloud Console under Compute > Manage > Authentication > Credentials store 

(Note : Type ‘Basic authentication’ selected)

• Go to Compute > Defend > Vulnerabilities > Images > Registry Settings > Add Registry
• Registry URL : https://registry-intl.<region>.aliyuncs.com
• Repository : Namespace/Repo-name Eg. paloalto/alibaba-registry
• Credential : Select the Credential created in Credential Store

• Scanner Scope : Select a Defender Scanner that will scan the Registry

• Once all mandatory (and optional) fields are filled Click on Add and Scan
• You should see the following message ‘Registry settings updated successfully’

• Click on ‘Scanning’ label on the top right corner to view the progress of your Scan

• Successful Scan Result can be viewed under : Compute > Monitor > Vulnerabilities > Images > Registries

• Registry Details includes Registry URL and Scanner (Defender) that scanned the Registry

• Scan details can be viewed in Console and Defender Logs 

Common Misconfigurations resulting in Scan Errors

• Registry URL configured as : Registry-FQDN / Namespace / Repository-name (should be Registry-FQDN)

• This configuration results in ‘Failed to retrieve repositories…404 Not Found’ Error

• Repository configured as:  Repository_Name (should be Namespace/Repository_Name)

• This configuration results in ‘Failed to retrieve repositories..401 Unauthorized’ Error

References

1. Alibaba Cloud Container Registry (ACR)
2. Prisma Cloud Compute : Scan images in Alibaba Cloud Container Registry