1. Overview

If you have deployed a Defender to scan an Artifactory registry, there are several caveats to look out for.

2. Error messages

  1. x509 error If you find that your images are not able to be scanned because of an error like the following:

Failed to pull image docker-local/sampleimage:v1.0.0dev-1, error API error (500): Get https://myconsole.twistlock.com/v2/: x509: certificate signed by unknown authority

This most likely means that you have a self-signed certificate that the underlying docker daemon on the defender host does not trust. This can also happen if you have set up Artifactory as an insecure registry.

3. Steps to confirm the issue

If you go to the host that the Prisma Cloud Defender is running on and try to pull your Artifactory images, you should receive the same error

4. Troubleshooting steps

You will need to add your trusted self-signed cert to the docker daemon. Specify the URL of the insecure registry on the machine where the registry scanning Defender runs, then restart the Docker service. For more information, see the Docker documentation.

4.1. Additional information

If you do not have a host that is able to access the underlying docker daemon, you will need to find other ways to get your host to trust the Artifactory instance. Please consult the Artifactory documentation for these steps.

4.2. Prisma Cloud version: Any version