This feature is available with Enterprise and Pro plans. See Pricing plans for more details.
Snyk can integrate to private container registries you host (currently in open beta), and help you to better secure container images in those registries.
To enable and configure your hosted container registry, contact our support team at support@snyk.io
Introduction
Integration with private container registries allows you to:
- Keep sensitive data such as your access tokens inside your private network, never sharing that information with Snyk.
- Provide controlled access to the network by Snyk, limiting Snyk access and the actions that Snyk can perform.
Self-hosted container registries solution components
- Broker server: running on Snyk SaaS backend
- Broker client & Container Registry Agent: Two Docker images deployed in your infrastructure, creating two separate services, responsible for sampling your container registries in a secured manner and sending the allowed information to Snyk.
The Broker client provides the Agent with the connection details. The Agent uses these details to connect to the container registry, scan the images, and send the scan results through the brokered communication using callbacks. The brokered communication happens when a Broker Client connects (using your Broker ID) to a Broker server which runs in Snyk environment. See Snyk Broker documentation for more details.
Supported Container registries
- Artifactory (type: ArtifactoryCR)
- Harbor (type: HarborCR)
- Azure (type: AzureCR)
- GCR (type: GoogleCR)
- Docker Hub (type: DockerHub)
- Quay (type: QuayCR)
Settings prerequisites
- Broker Client machine system requirements: 1 CPU, 256MB of Ram.
- Container registry agent machine system requirements should be (given MAX_ACTIVE_OPERATIONS=1):
- CPU: 1 vcpu
- Memory: 2Gb (should be reflected in node memory setting)
- Storage: 5Gb
- Docker configured to pull components images from Docker Hub
- Connection between broker and agent
- Agent image can be found for download here
- Broker Client image can be found for download here
Set up the remote connection
To use the Broker client with a container registry agent deployment, run
`docker pull snyk/broker:container-registry-agent`.
The following environment variables are mandatory to configure the Broker client:
- `BROKER_TOKEN` - The Snyk Broker token, obtained from your Container registry integration (provided by Snyk support)
- `BROKER_CLIENT_URL` - The URL of your broker client (including scheme and - port) used by the container registry agent to call back to Snyk.
- `CR_AGENT_URL` - The URL of your container registry agent, for example http://my.container.regsitry.agent.
- `CR_CREDENTIALS` - Base64-encoded credentials json used by the agent to access container registry. Format should be: {"username":"<username>","password":"<password>","type":"<your-container-registry>","registryBase":"<hostname of the CR>"}
- `PORT` - The local port at which the Broker client accepts connections. Default is 7341.
To run the docker container, provide the relevant configuration:
docker run --restart=always \
-p 8000:8000 \
-e BROKER_TOKEN=secret-broker-token \
-e BROKER_CLIENT_URL=http://my.broker.client:8000 \
-e CR_AGENT_URL=agent-url \
-e CR_CREDENTIALS=base64-encoded-credentials-json \
-e PORT=8000 \
snyk/broker:container-registry-agent
The container registry agent can also be pulled from Docker Hub and can be found here for download. To run the image you can use a single env variable for specifying the port:
docker run --restart=always \
-p 8081:8081 \
-e SNYK_PORT=8081 \
snyk/container-registry-agent:latest
Secure your images:
You can now start scanning your container images directly from your private registry. See scanning images from container registry (Artifactory example) for more details.