Registry Scanning
Scan container images directly from remote registries
Redactyl can scan container images directly from registries without pulling them to disk.
Basic Usage
# Scan from Docker Hub
redactyl scan --image nginx:latest
# Scan from private registry
redactyl scan --image gcr.io/myproject/myapp:v1.0
# Scan multiple images
redactyl scan --image myapp:v1 --image myapp:v2Supported Registries
Redactyl supports all OCI-compliant registries:
- Docker Hub -
docker.io/library/nginx - Google Container Registry -
gcr.io/project/image - Google Artifact Registry -
us-docker.pkg.dev/project/repo/image - Amazon ECR -
123456789.dkr.ecr.us-east-1.amazonaws.com/image - Azure Container Registry -
myregistry.azurecr.io/image - GitHub Container Registry -
ghcr.io/owner/image - Self-hosted - Any OCI-compliant registry
Authentication
Docker Hub
# Login first
docker login
# Redactyl uses Docker's credential store
redactyl scan --image myuser/private-image:latestGoogle Cloud (GCR/Artifact Registry)
# Using gcloud
gcloud auth configure-docker
# Or with service account
export GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.json
redactyl scan --image gcr.io/myproject/myapp:latestAmazon ECR
# Using AWS CLI
aws ecr get-login-password | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
# Or with environment variables
export AWS_ACCESS_KEY_ID=...
export AWS_SECRET_ACCESS_KEY=...
redactyl scan --image 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:latestAzure ACR
# Using Azure CLI
az acr login --name myregistry
redactyl scan --image myregistry.azurecr.io/myapp:latestGeneric Credentials
# Environment variables
export REGISTRY_USERNAME=myuser
export REGISTRY_PASSWORD=mytoken
redactyl scan --image registry.example.com/myapp:latestStreaming Architecture
Redactyl streams image layers directly from the registry:
- Fetches image manifest
- Streams each layer sequentially
- Scans content in memory
- No disk extraction required
Benefits:
- Fast scanning of large images
- Low memory footprint
- No cleanup required
- Works in ephemeral CI environments
Layer Selection
By default, all layers are scanned. You can limit this:
# Scan only the last N layers
redactyl scan --image myapp:latest --layers 3
# Scan specific layers by digest
redactyl scan --image myapp:latest --layer sha256:abc123Platform Selection
For multi-arch images:
# Scan specific platform
redactyl scan --image myapp:latest --platform linux/amd64
# Scan all platforms
redactyl scan --image myapp:latest --all-platformsCI/CD Integration
GitHub Actions
- name: Scan container image
run: |
redactyl scan --image ${{ env.IMAGE_NAME }}:${{ github.sha }} \
--sarif > redactyl.sarif.json
- name: Upload SARIF
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: redactyl.sarif.jsonGitLab CI
scan-image:
script:
- redactyl scan --image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --json > findings.json
artifacts:
paths:
- findings.jsonCaching
For repeated scans, enable layer caching:
# Enable cache
redactyl scan --image myapp:latest --cache
# Set cache directory
export REDACTYL_CACHE_DIR=/tmp/redactyl-cacheRate Limiting
Registries may rate limit requests. Redactyl handles this automatically with exponential backoff. For high-volume scanning:
# Add delay between layer fetches
redactyl scan --image myapp:latest --rate-limit 100msTroubleshooting
Authentication Errors
# Debug auth issues
redactyl scan --image myapp:latest --debug
# Check credentials
docker pull myapp:latest # Verify Docker can pullTimeout Errors
# Increase timeout for slow registries
redactyl scan --image myapp:latest --timeout 5mNetwork Errors
# Use proxy
export HTTPS_PROXY=http://proxy.example.com:8080
redactyl scan --image myapp:latest