Prisma Cloud Compute : How to use Registry APIs to check the connectivity between Prisma Cloud Defender and the Registry for a successful scan?

3598

Created On 11/10/23 04:48 AM - Last Modified 07/18/24 02:35 AM

Prisma Cloud Compute Defender Connectivi

Prisma Cloud Compute Registry Scanning

Prisma Cloud Compute Defender

Prisma Cloud Compute Vulnerability Manag

Prisma Cloud Compute Edition Self-Hosted

Objective

List Registry APIs to help check the connectivity between Prisma Cloud Defender and the Registry for a successful scan

Environment

Prisma Cloud Compute
- SaaS
- Self-Hosted
- Registry

Procedure

Following are the list of Curl commands that can be used sequentially from the Defender Host to check the connectivity and permissions to the respective Registries. You can also execute these APIs directly on the Defender Container.

1. The Repositories for a given registry can be retrieved with the following catalog request:

curl -s -k -u USERNAME:PASSWORD https://<REGISTRY_URL>/v2/_catalog

2. The tags for an image repository can be retrieved with the following request:

curl -s -k -u USERNAME:PASSWORD https://<REGISTRY_URL>/v2/<REPONAME>/tags/list

3. (optional) The image manifest can be fetched using the following request: (Refer to Additional Info section for more details)

curl -s -k -u USERNAME:PASSWORD https://<REGISTRY_URL>/v2/<REPONAME>/manifests/TAGNAME

Note: Refer to the Additional info section of this article on how to use different credentials and more info on the AP's.

For JFrog Artifactory, below are the API's:

1. Retrieves the reverse proxy configuration (Ref: Jfrog Get Reverse Proxy Configuration )

curl -s -k -u USERNAME:PASSWORD https://<JFROG_REGISTRY_URL>/artifactory/api/system/configuration/webServer

2. Returns a list of minimal repository details for all repositories of the type "docker" (Ref: Jfrog Get Repositories )

curl -s -k -u USERNAME:PASSWORD https://<JFROG_REGISTRY_URL>/artifactory/api/repositories?packageType=docker

3. Lists all Docker repositories (the registry's _catalog) hosted in an Artifactory Docker repository. (Ref: List Jfrog Docker Repositories )

curl -s -k -u USERNAME:PASSWORD https://<JFROG_REGISTRY_URL>/artifactory/api/docker/{repo-key}/v2/_catalog

Here:
"repo-key" is the R epository Key, unique identifier for the repository.

4. Lists all tags of the specified Artifactory Docker repository. (Ref: JFrog List Docker Tags )

curl -s -k -u USERNAME:PASSWORD https://<JFROG_REGISTRY_URL>/artifactory/api/docker/{repo-key}/v2/{image name}/tags/list

Note: Only Container Defender and Daemonset Defenders are supported for the Registry Scanning

Additional Information

This section helps you with more info on the respective APIs listed above with the curl commands.

1. Listing Repositories - /v2/_catalog

This is the first API from the Defender to the Registry to fetch the Repositories names from catalog API
The catalog for a given registry can be retrieved with the following request:

GET /v2/_catalog

Example:

curl -s -k -u USERNAME:PASSWORD https://<REGISTRY_URL>/v2/_catalog

curl -s -k -u USERNAME:PASSWORD https://DOCKERLOCALREG/v2/_catalog
{"repositories":["repo1","repo2","repo3"]}

where "repo1", repo2 and repo3 are the repositories

2. Listing Tags - /v2/<REPONAME>/tags/list

The tags for an image repository can be retrieved with the following request:

GET /v2/<REPONAME>/tags/list

Example:

curl -s -k -u USERNAME:PASSWORD -k https://<REGISTRY_URL>/v2/<REPONAME>/tags/list

curl -s -k -u USERNAME:PASSWORD https://DOCKERLOCALREG/v2/repo1/tags/list
{"name":"repo1","tags":["tag4","tag1","tag6","tag2","tag5","tag3"]}

3. Pulling an Image Manifest - /v2/<name>/manifests/<reference>

An “image” is a combination of a JSON manifest and individual layer files. The process of pulling an image centers around retrieving these two components.
The first step in pulling an image is to retrieve the manifest. For reference, the relevant manifest fields for the registry are the following:

Field	Description
name	The name of the image
tag	The tag for this version of the image
fsLayers	A list of layer descriptors (including digest)
signature	A JWS used to verify the manifest content

For more information about the manifest format, please see docker/docker#8093.
When the manifest is in hand, the client must verify the signature to ensure the names and layers are valid. Once confirmed, the client will then use the digests to download the individual layers. Layers are stored in as blobs in the V2 registry API, keyed by their digest.
The image manifest can be fetched with the following url:

GET /v2/<name>/manifests/<reference>

The name and reference parameter identify the image and are required. The reference may include a tag or digest.

```
Example:
```

curl -s -k -u USERNAME:PASSWORD https://<REGISTRY_URL>/v2/<REPONAME>/manifests/TAGNAME

curl -s -k -u USERNAME:PASSWORD https://DOCKERLOCALREG/v2/repo1/manifests/tag1
{
   "schemaVersion": 1,
   "name": "repo1",
   "tag": "tag1",
   "architecture": "amd64",
   "fsLayers": [
      {
         "blobSum": "sha256:1fdf3151d2441cbd026b76f321eb327b7c2f2081fa3ffbaf8dda8ca68c0b8eaf"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:707e32e9fc569fee476af9e92ae3d1df8b8e6dca47f9cb31db9d2c922a6de952"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      },
      {
         "blobSum": "sha256:a3ed95caeb02ffe68cdd9fd84406680ae93d633cb16422d00e8a7c22955b46d4"
      }
   ],
   "history": [
      {
         "v1Compatibility": "{\"architecture\":\"amd64\",\"config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/bash\"],\"Image\":\"sha256:3565a89d9e81a4cb4cb2b0d947c7c11227a3f358dc216d19fc54bfd77cd5b542\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{\"org.opencontainers.image.ref.name\":\"ubuntu\",\"org.opencontainers.image.version\":\"22.04\"}},\"container\":\"111c3ace78b1176802046f55b67c3090b64db2643d3b5276805afaffaf635772\",\"container_config\":{\"Hostname\":\"\",\"Domainname\":\"\",\"User\":\"\",\"AttachStdin\":false,\"AttachStdout\":false,\"AttachStderr\":false,\"Tty\":false,\"OpenStdin\":false,\"StdinOnce\":false,\"Env\":[\"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin\"],\"Cmd\":[\"/bin/sh\",\"-c\",\"touch imagerepo1tag1\"],\"Image\":\"sha256:3565a89d9e81a4cb4cb2b0d947c7c11227a3f358dc216d19fc54bfd77cd5b542\",\"Volumes\":null,\"WorkingDir\":\"\",\"Entrypoint\":null,\"OnBuild\":null,\"Labels\":{\"org.opencontainers.image.ref.name\":\"ubuntu\",\"org.opencontainers.image.version\":\"22.04\"}},\"created\":\"2023-10-11T07:24:17.335360064Z\",\"docker_version\":\"20.10.25\",\"id\":\"2c2b7932f6d94ae65eea8127299f198ea68b8f219ad0ce3dcfdbbb4843af422d\",\"os\":\"linux\",\"parent\":\"8ede441f057d5def11ed3574a2a29301818f5b2c359d88eaa17ea9a5603b1b00\"}"
      },
      {
         "v1Compatibility": "{\"id\":\"8ede441f057d5def11ed3574a2a29301818f5b2c359d88eaa17ea9a5603b1b00\",\"parent\":\"eee69f448270758acb764275fd27e88011a8841a971a338bddfb448d3b6bc730\",\"created\":\"2023-09-25T10:17:08.017400804Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  CMD [\\\"/bin/bash\\\"]\"]},\"throwaway\":true}"
      },
      {
         "v1Compatibility": "{\"id\":\"eee69f448270758acb764275fd27e88011a8841a971a338bddfb448d3b6bc730\",\"parent\":\"314371bc38ca2cbdc6e4f6c9ecf2a4de7aeaf31c6d71a45872671a5063fb1b5f\",\"created\":\"2023-09-25T10:17:07.772475208Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop) ADD file:194c886b88876c1804cc5f80719669653c16a388b664147b7f22402105f533c4 in / \"]}}"
      },
      {
         "v1Compatibility": "{\"id\":\"314371bc38ca2cbdc6e4f6c9ecf2a4de7aeaf31c6d71a45872671a5063fb1b5f\",\"parent\":\"b14a7346a5c3b89b4886c1d8576cbcbd73d2b85ae2e344e71602eec95c3f6682\",\"created\":\"2023-09-25T10:17:05.975064283Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  LABEL org.opencontainers.image.version=22.04\"]},\"throwaway\":true}"
      },
      {
         "v1Compatibility": "{\"id\":\"b14a7346a5c3b89b4886c1d8576cbcbd73d2b85ae2e344e71602eec95c3f6682\",\"parent\":\"8e9880e2f2f433621c34c94d346eecaf8e8e500e3e55f52a6c322d2f747ae137\",\"created\":\"2023-09-25T10:17:05.920084198Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  LABEL org.opencontainers.image.ref.name=ubuntu\"]},\"throwaway\":true}"
      },
      {
         "v1Compatibility": "{\"id\":\"8e9880e2f2f433621c34c94d346eecaf8e8e500e3e55f52a6c322d2f747ae137\",\"parent\":\"3690474eb5b4b26fdfbd89c6e159e8cc376ca76ef48032a30fa6aafd56337880\",\"created\":\"2023-09-25T10:17:05.868115844Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  ARG LAUNCHPAD_BUILD_ARCH\"]},\"throwaway\":true}"
      },
      {
         "v1Compatibility": "{\"id\":\"3690474eb5b4b26fdfbd89c6e159e8cc376ca76ef48032a30fa6aafd56337880\",\"created\":\"2023-09-25T10:17:05.810142316Z\",\"container_config\":{\"Cmd\":[\"/bin/sh -c #(nop)  ARG RELEASE\"]},\"throwaway\":true}"
      }
   ],
   "signatures": [
      {
         "header": {
            "jwk": {
               "crv": "P-256",
               "kid": "WCMH:BI2I:OPPX:62TC:4367:S6IM:EZRB:VUOA:TUCR:JZOM:WHGW:4FAG",
               "kty": "EC",
               "x": "SI-EMvWatUvnCcQnEphlGhP04so043eWJ21qf1g2vBg",
               "y": "dukL4m582aC63sDppPg2ERpgKSaNzGjJXdB3qfFrsec"
            },
            "alg": "ES256"
         },
         "signature": "1vU2z98KbymI8m8s66amAddtS0SSfPAr4wP4HszqUvQmriOiHklwjlNUTg0kT0_pCPOj6Xg5Nis5puS0Dta13Q",
         "protected": "eyJmb3JtYXRMZW5ndGgiOjQ1NzUsImZvcm1hdFRhaWwiOiJDbjAiLCJ0aW1lIjoiMjAyMy0xMS0xMFQwNzo1NToyOVoifQ"
      }
   ]

 *in the above example, repository name is "repo1" and the tag in that repository is "tag1"
Note: Use the REST API's of the respective Registry type to test

How to use Azure Service Principle as the Username and Password to test the above Curl Commands?

Follow the Azure Document on Create a service principal containing a password
User APP ID as the username and Password as the password
Follow Azure Container Registry authentication with service principals to test the connectivity to the Azure ACR using Service Principal (using docker login)

Curl Command options

You can also use any of the Curl command options to get more details. Below are few:

General Options:

-H, --header <header>: Pass custom headers to the server like passing Token instead of Username and password
--url <URL>: Specify the URL.
-o, --output <file>: Write output to a file.
-O, --remote-name: Save output to a file with the same name as the remote file.
-L, --location: Follow redirects.

Authentication Options:

-u, --user <user:password>: Specify the user and password for basic authentication.

Connection Options:

-s, --silent: Silent mode (suppress progress or error messages).

SSL Options:

-k, --insecure: Allow connections to SSL sites without certificates.
--cacert <file>: CA certificate to verify peer against.
--cert <cert[:passwd]>: Client certificate file and password.
--key <key>: Private key file name.

Output Options:

-i, --include: Include the HTTP headers in the output.
-w, --write-out <format>: Specify the format for the output.

Other Options:

-v, --verbose: Make the operation more talkative.