IBM Cloud Global

 View Only

Scanning images in IBM Container Registry with IBM Security and Compliance Center Workload Protection

By Victor Guerrero posted Tue November 07, 2023 08:01 AM


In the fast-paced world of containerization and cloud-native technologies, containers have emerged as a cornerstone for building, packaging, and distributing applications. However, ensuring the security of these containers is paramount to protect your infrastructure and sensitive data. One essential practice in this realm is scanning container images stored in registries. 

Workload Protection is a comprehensive Cloud Workload Protection Platform (CWPP) integrating multi-cloud compliance, security posture management (CSPM), threat detection, and vulnerability scanning into a single solution. This powerful Swiss knife allows customers to gain a consolidated perspective on risks within their infrastructure, covering various environments such as containers, Kubernetes, and virtual or physical hosts across popular cloud platforms like IBM Cloud, Amazon Web Services, Google Cloud, and Microsoft Azure. Additionally, the service offers pre-configured rules for validating container and cloud compliance, ensuring a seamless and secure operational environment.

Integrating the container registry adds a layer of defense between pipeline and runtime and enhances defense depth. In this article, we'll delve into the importance of scanning container images and how IBM Cloud Security and Compliance Center Workload Protection can be a game-changer in bolstering your container security posture.

Why Scan Images in the Registry?

Identifying Vulnerabilities

Container images often include various components and dependencies. Vulnerabilities in these components can be exploited by malicious actors. By scanning images periodically, you can identify security vulnerabilities, enabling you to patch or update vulnerable components promptly.

Compliance and Governance

In regulated industries, compliance requirements mandate through security checks. Scanning container images helps organizations adhere to industry standards and regulatory frameworks, ensuring that the deployed applications meet security and compliance criteria.

Prevention of Supply Chain Attacks

Attackers may compromise the software supply chain by injecting malicious code into container images. Regular image scanning helps in detecting any unauthorized or malicious changes, mitigating the risk of supply chain attacks.

Workload protection and IBM Container Registry(ICR)

IBM ICR provides a container image registry that allows you to store container images for all types of orchestration platforms including Kubernetes, Docker, and Red Hat OpenShift. ICR handles private Docker container images as well as related content formats. 

IBM Cloud Security and Compliance Center Workload Protection integrates with IBM ICR to periodically scan all the stored images. Images that have been scanned and reported to IBM Cloud Security and Compliance Center Workload Protection are refreshed on a scheduled Helm cron job every week.

How to install the container registry scanner on IBM Container Registry (ICR)

To run the scanner in IBM Container Registry (ICR), some prerequisites should be satisfied:

  • A Kubernetes cluster managed with Helm. The registry scanner will be installed here.

  • A Workload Protection region URL, API key, and account ID of the registry.

  • Network access to the target registry


  1. Install the Registry Scanner Helm Chart:

$ helm repo add sysdig

$ helm repo update

  1. Install the Registry Scanner chart:

$ helm upgrade --install registry-scanner sysdig/registry-scanner --version=1 \

--set config.secureBaseURL=<IBM_WORKLOAD_PROTECTION_URL> \


--set config.registryType=icr \

--set config.registryURL=<ICR_REGISTRY_URL> \

--set config.registryUser=iamapikey \

--set config.registryPassword=<ICR_APIKEY> \

--set config.registryAccountId=<ICR_ACCOUNT_ID> \

--set cronjob.schedule="0 */12 * * *"

The full install details are available 
in the following link

Parameters explanation:

  • secureBaseURL: Sets the region where the IBM Workload Protection instance is deployed. The scanning results will be uploaded to. The list of endpoints is available here. For example:

  • secureAPIToken: Workload Protection API Key. It could be retrieved from the Workload Protection UI.

  • registryURL: Sets the IBM Container Registry region. Check the list of available regions here.

  • registryPassword: IBM IAM API key. It could be created from the IBM Cloud Account > Manage > Access (IAM) > API Keys.

  • registryAccountId: Needs to be extracted from the command line.

  • cronjob.schedule: Sets when the container registry images scan should be run. If it is not specified, it runs once per week.


How to extract ICR_ACCOUNT_ID value

There is an extra parameter needed to deploy the IBM Container Registry successfully, the account ID. To retrieve the IRC Account ID, a few commands need to be run from the command line.

ibmcloud cr login --client docker #log in into the ICR account

ibmcloud cr region-set eu-de #set your ICR region

ibmcloud cr info #get the ICR account ID

ibmcloud cr info

Plug-in version                            1.2.2

Container Registry                  

Container Registry API endpoint

IBM Cloud API endpoint     



Scanning container images in the registry is a fundamental practice for ensuring the security and integrity of your containerized applications. IBM Cloud Security and Compliance Center Workload Protection empower you to proactively detect vulnerabilities, maintain compliance, and safeguard your containerized environments from potential threats. By leveraging Workload Protection, you can confidently embrace the benefits of containers while upholding the highest standards of security. Check the full set of key features in the IBM Cloud Docs.


Enable today Cloud Security and Compliance Center Workload Protection within your IBM Cloud account