1. Overview

You can use webhooks to trigger a scan when images in your registry’s repositories are added or updated.

Prisma Cloud supports webhooks for:

Prisma Cloud requires Docker Registry 2.4 or later.
Google Container Registry and Amazon EC2 Container Registry do not currently support webhooks.

For Docker Hub, you must have Automated Builds enabled for your repository. Docker Hub webhooks are called when an image is built or a new tag is added to your automated build repository.

For Docker Private Registry, webhooks are called when manifests are pushed or pulled, and layers are pushed or pulled. Prisma Cloud scans images in response to layer push events.

For Azure Registry, you can configure webhooks for your container registry that generate events when certain actions are performed against it. See Azure’s documentation for more information.

The benefit of webhook-initiated scans is that they are triggered as soon as images change, but support is limited to Docker Hub, Docker Registry, and Azure Registy. Prisma Cloud also supports scheduled registry scans, with support for almost all registry types, including Google Container Registry and Amazon EC2 Container Registry.

2. Securing Console’s management port

Webhooks call the Prisma Cloud API on Console’s management ports over either HTTP or HTTPS.

Although it is convenient to test webhooks with HTTP, we strongly recommend that you set up webhooks to call Console over HTTPS. To call webhooks over HTTPS, you must install a certificate trusted by the registry. For more information about securing Console’s management port with a custom cert, see Custom certs for Console access.

By default, Prisma Cloud uses self-signed certificates to secure HTTP traffic. Self-signed certificates are not supported (trusted) by Docker Hub, and Docker Registry would require you to configure Prisma Cloud as a trusted CA (not supported, and not recommended). Instead install a certificate signed by a trusted certificate authority (CA), such as Comodo or Symantec.

3. Setting up webhooks

To set up webhook-initiated scans, configure your registry’s webhook with the URL provided in Console. The following procedure shows you how to set up webhooks in Docker Hub.

Prerequisites: Docker Hub, with Automated Builds enabled.

  1. Open Console.

  2. Go to Defend > Vulnerabilities > Registry.

  3. Scroll down to the section Registry webhooks, then enter the following information:

    1. In the drop down list, select the DNS name or IP address that the registry can use to reach the Console.

      Your selection generates a URL that you will use to configure the registry.

    2. Copy the URL.

      By default, the generated URL employs HTTP. For HTTPS, replace http:// with https://.

  4. Configure your repository.

    The following sections show how to configure Docker Hub and Nexus Repository. For other repositories, consult the vendor’s documentation.

  5. Test the integration by triggering a build.

    trigger registry scan webooks 706509
  6. Go to Monitor > Vulnerabilities > Registry to view the scan report. Prisma Cloud scans the image as soon as it is built.

4. Configuring Docker Hub

Configure your Docker Hub repository.

  1. Log into Docker Hub.

  2. Select a repository, and then click Webhooks.

  3. Create a new webhook. Specify a name, and paste the URL you copied from Console.

  4. Click Save.

    trigger registry scan webhooks docker hub

5. Configuring Nexus Repository

Configure the Nexus Repository. When setting up webooks in Nexus Repository, select the "component" event type for triggering the webhooks.

trigger registry scan webhooks nexus