New Features
Sign up for free

Submit a Support ticket Sign in to Support Sign up for free

 

Integrate self-hosted container registries

  1. Docs Library | Snyk
  2. Snyk Container
  3. Integrate self-hosted container registries

Snyk integration to self-hosted container registries

Feature availability
This feature is currently in beta and is available with Enterprise plans. See Pricing plans for more details.

Snyk can integrate to private container registries you host (currently in open beta), and help you to better secure container images in those registries. 

To enable and configure your hosted container registry, contact our support team at support@snyk.io

Introduction

Integration with private container registries allows you to:

  • Keep sensitive data such as your access tokens inside your private network, never sharing that information with Snyk.
  • Provide controlled access to the network by Snyk, limiting Snyk access and the actions that Snyk can perform.

Self-hosted container registries solution components

  • Broker server: running on Snyk SaaS backend
  • Broker client & Container Registry Agent: Two Docker images deployed in your infrastructure, creating two separate services, responsible for sampling your container registries in a secured manner and sending the allowed information to Snyk.

The Broker client provides the Agent with the connection details. The Agent uses these details to connect to the container registry, scan the images, and send the scan results through the brokered communication using callbacks. The brokered communication happens when a Broker Client connects (using your Broker ID) to a Broker server which runs in Snyk environment. See Snyk Broker documentation for more details.  

mceclip0.png

Supported Container registries

  • Artifactory (type: ArtifactoryCR)
  • Harbor (type: HarborCR)
  • Azure (type: AzureCR)
  • GCR (type: GoogleCR)
  • Docker Hub (type: DockerHub)
  • Quay (type: QuayCR)
  • Nexus (type: nexus-cr)
  • GitHub (type: github-cr)
  • DigitalOcean (type: digitalocean-cr)
  • GitLab (type: gitlab-cr)

Note

The integration pattern using broker with open source container registries from the above list is designed for users who require images to be scanned in their own environment, instead of inside the Snyk service.

If such a requirement is not relevant for you, you do not need the architecture described in this article, and can integrate to it in the standard way from the integrations page.

Settings prerequisites

    • Broker Client machine system requirements: 1 CPU, 256MB of Ram.
    • Container registry agent machine system requirements should be (given MAX_ACTIVE_OPERATIONS=1):
      • CPU: 1 vcpu
      • Memory: 2Gb (should be reflected in node memory setting)
      • Storage: 5Gb
    • Docker configured to pull components images from Docker Hub
    • Connection between broker and agent
    • Agent image can be found for download here
    • Broker Client image can be found for download here

Set up the remote connection

To use the Broker client with a container registry agent deployment, run
`docker pull snyk/broker:container-registry-agent`. 

The following environment variables are mandatory to configure the Broker client:

  • `BROKER_TOKEN` - The Snyk Broker token, obtained from your Container registry integration (provided by Snyk support)
  • `BROKER_CLIENT_URL` - The URL of your broker client (including scheme and - port) used by the container registry agent to call back to Snyk, for example: "http://my.broker.client:8000".
  • `CR_AGENT_URL` - The URL of your container registry agent, for example "http://my.container-registry-agent".
  • `CR_TYPE` - The container registry type as listed in supporter registries, for example "DockerHub", "GoogleCR", "ArtifactoryCR".
  • `CR_BASE` - The hostname of the container registry api to connect to, for example: "cr.host.com".
  • `CR_USERNAME` - The username for authenticating to container registry api. Not used for DigitalOcean container registry.
  • `CR_PASSWORD` - The password for authenticating to container registry api. Not used for DigitalOcean container registry.
  • `CR_TOKEN` - Authentication token for DigitalOcean container registry.
  • `PORT` - The local port at which the Broker client accepts connections. Default is 7341.

Note for Artifactory users

In case you are using Repository path as your Docker access method, the container registry hostname in CR_BASE variable should be set in this structure: <subdomain.example.com>/artifactory/api/docker/<artifactory-repository-key>

 

To run the docker container, provide the relevant configuration:

docker run --restart=always \
       -p 8000:8000 \
       -e BROKER_TOKEN="<secret-broker-token>" \
       -e BROKER_CLIENT_URL="<broker-client-url>" \
       -e CR_AGENT_URL="<agent-url>" \
       -e CR_TYPE="<cr-type>" \
       -e CR_BASE="<cr-hostname>" \
       -e CR_USERNAME="<username>" \
       -e CR_PASSWORD="<password>" \
       -e PORT=8000 \
       snyk/broker:container-registry-agent

The container registry agent can be pulled from Docker Hub using the link provided above in the settings prerequisites. To run the image you can use a single env variable for specifying the port:

docker run --restart=always \
       -p 8081:8081 \
       -e SNYK_PORT=8081 \
       snyk/container-registry-agent:latest

Configuring and using system check:

You can use the `/systemcheck` endpoint to verify connectivity between the Broker Client and the Container Registry Agent.

In order to use it, specify the following environment variable when running the broker client:
BROKER_CLIENT_VALIDATION_URL = "<agent-url>/healthcheck"

Note

The /systemcheck endpoint is not mandatory for the brokered integration to function. More information can be found here: https://github.com/snyk/broker#systemcheck

Secure your images:

You can now start scanning your container images directly from your private registry. See scanning images from container registry (Artifactory example) for more details.