Prisma Cloud Compute: How to check registry scan times

• Investigate registry scan times
• Troubleshoot longer scan times or slow scans

• Prisma Cloud Compute Edition (Self-Hosted) v19.11 or later
• Prisma Cloud Enterprise Edition (SaaS)
• Registry configured for scanning 

1. Download the console debug logs from Manage>Logs>Console>Download debug logs
2. search for the expression "registry scan finished" ie. 

   cat twistlock_console.log | grep "registry scan finished"

3. The console log will contain the time each registry scan took. For example: 

   DEBU 2023-01-24T07:08:45.101 registry_scanner.go:834 Registry scan finished: took=4m58.250833431s stats={scan-started-at:2023-01-24 07:03:46.850431632 +0000 UTC m=+312894.254202825 scanned-specs:1/1 discovered-repositories:650 discovered-tags:1 scanned-images:1 updated-images:0}

4. You can also find when the registry scan started with "Registry scanner started".
5. After this Registry scan started line, you will see the console assign tag discovery requests to specific defenders. Example: 

   DEBU 2023-01-23T05:38:44.198 pubsub_defender.go:818 Publishing registry tag discovery request to defender ip-REDACTED.compute.internal: &{Tag:test/coal/spring-boot-test Spec:harbor-https:--REDACTED.com-*-* Type:2 ScanID:2 RequestDoneFn:<nil>}

6. You may download the related defender log and search for the registry repository to check how long each tag discovery takes. Example: 

   DEBU 2023-01-24T07:37:50.935 scanner.go:424 Repository test/coal/spring-boot-test tag discovery completed (total:484 time:45.37 completed: true, manifest unknown errors: <nil>)

7. Example command: 

   cat defender.log | grep "tag discovery completed"

8. After tag discovery, the console will assign defenders to scan images. You can also check the time it takes to scan a particular image in the defender log by searching for the image: 

   DEBU 2023-01-18T15:20:40.362 scanner.go:233 Scan for image tag:https://REDACTED.com/test/coal/spring-boot-test:release-REDACTED id:sha256:49b4a7989ac99c7cb548c494898bbc1eadb0e846093fe9048d6bed64ae02712c completed after 33.965084919 seconds

9. The image scan is split up into 2 pieces, the time taken to pull and time taken to scan: Example pull: 

   DEBU 2023-01-18T15:20:14.823 scanner.go:173 Pull image tag:https://REDACTED.com/test/coal/spring-boot-test:release-REDACTED id:sha256:49b4a7989ac99c7cb548c494898bbc1eadb0e846093fe9048d6bed64ae02712c completed after 8.426268656 seconds

10. example scanning time only:  

    DEBU 2023-01-18T15:20:40.361 scanner.go:222 Image REDACTED.com/test/coal/spring-boot-test:release-REDACTED sha256:49b4a7989ac99c7cb548c494898bbc1eadb0e846093fe9048d6bed64ae02712c [scanning] 25.53 [sec]

11. The pull time and scanning time adds up to the total time seen in step 8. 

For optimizing registry scans, we recommend following the Large scale registry guidelines.