Container registry scanning

List and scan container images directly from a registry using filters and scan plans.

A container registry is a centralized service that stores and distributes your container images. Endor Labs lets you scan images directly from your registry, giving you full visibility into the security posture of your containerized workloads at scale. You can discover images across repositories, control the scope of your scans, avoid redundant work by skipping images that are already scanned, and run consistent scans over time using saved scan plans.

A scan plan is a JSON file that defines the set of container images to scan, along with the registry and filters used to select them. It acts as a predefined template for selecting container images and can be verified and tested ahead of time before the actual registry scan runs. Once saved, the scan plan can be reused to scan the exact same set of images without querying the registry again, making recurring or batch scans consistent and easier to share across runs or environments.

With registry scanning, you can list all repositories and tags, or a filtered subset, in a registry without manually specifying each image. You can save an enumerated image list as a scan plan and reuse it later so the same set of images is scanned without re-querying the registry each time.

Endor Labs supports the following container registries:

  • AWS ECR
  • Azure ACR
  • Docker Hub
  • GitHub Container Registry (GHCR)
  • JFrog Artifactory

Use the endorctl container registry commands to list and scan images stored in your registry.

  • List images from a registry: Use endorctl container registry list to preview which images match your filters before scanning. This lets you verify the scope and adjust filtering parameters such as --include, --exclude, --recent, and --limit. You can also save the results as a scan plan for the scan step.

  • Scan images from a registry: Use endorctl container registry scan to enumerate and scan container images from a registry in a single step. You can also provide a saved scan plan from the list command instead of enumerating the registry again.

Use a scan plan when you want to review the list of images before scanning. The scan plans make it easier to reuse these pre-qualified combinations of scanned parameters and ensure consistent results.

Prerequisites for AWS ECR and Azure ACR registry scans
Install and configure the AWS CLI to use AWS ECR and the Azure CLI to use Azure ACR to authenticate and enumerate their corresponding container registries.

The list command connects to your registry, enumerates container images based on your configured filters, and prints a summary with a table of image paths. You can also save the results as a scan plan to reuse with the scan command.

endorctl container registry list --registry-type=<type> [options]

You can apply filters such as include, exclude, recent, and limit to narrow down the images returned. If you provide a namespace and API credentials, the saved plan automatically excludes already scanned images, so it is ready to scan only new or updated images.

Filters are applied in the following order:

  1. include
  2. exclude
  3. recent
  4. limit

You can use the endorctl container registry list command with the following flags.

Flag Environment Variable Type Description
--registry-type ENDOR_CONTAINER_REGISTRY_REGISTRY_TYPE string Container registry type. See supported container registries for the registries and their corresponding values.
--registry ENDOR_CONTAINER_REGISTRY_REGISTRY string Registry server or host. See the supported container registries table for example formats. Required for Azure ACR and JFrog.
--registry-namespace ENDOR_CONTAINER_REGISTRY_REGISTRY_NAMESPACE string The namespace or scope to list within. This flag is optional and is commonly used for the Docker Hub, GHCR, and JFrog Artifactory registries. For Docker Hub or GHCR, it is the organization or user name and for JFrog, it is the repository key.
--include ENDOR_CONTAINER_REGISTRY_INCLUDE string Regex to include repositories or tags. Matches the repository name without the registry server or domain, the full repository and tag, or the digest. If not set, all repositories and their tags are included.
--exclude ENDOR_CONTAINER_REGISTRY_EXCLUDE string Regex to exclude a subset of container image names by repository or by repository and tag. For example, --exclude='test-repo' excludes all tags in repositories matching test-repo, and --exclude='myapp:latest' excludes only the latest tag in repositories matching myapp.
--recent ENDOR_CONTAINER_REGISTRY_RECENT string Include only images updated within the given recent time window. Use a duration string such as 24h, 7d, or 2d7h. Applied after include and exclude.
--limit ENDOR_CONTAINER_REGISTRY_LIMIT integer Limit the number of images in the result after all filters are applied.
--include-untagged ENDOR_CONTAINER_REGISTRY_INCLUDE_UNTAGGED boolean Include untagged manifests when the registry type supports them.
--include-untagged-only ENDOR_CONTAINER_REGISTRY_INCLUDE_UNTAGGED_ONLY boolean Consider only untagged container images. Use this only when the registry type supports untagged container images.
--validate-tag-digest ENDOR_CONTAINER_REGISTRY_VALIDATE_TAG_DIGEST boolean Resolve and confirm digest through a registry HEAD request for each tag.
--architecture ENDOR_CONTAINER_REGISTRY_ARCHITECTURE string Preferred architecture for multi-architecture images, for example, amd64, arm64, or linux/arm64.
--timeout ENDOR_CONTAINER_REGISTRY_TIMEOUT string Command timeout duration, such as 30s, 1m, or 5m. Default is 30s.
--project-prefix ENDOR_CONTAINER_REGISTRY_PROJECT_PREFIX string Optional prefix for project names derived from repository path. Without a prefix, the project name uses the container image repository path.
--save-as-plan ENDOR_CONTAINER_REGISTRY_SAVE_AS_PLAN string Write the list output as a scan plan JSON file to use with endorctl container registry scan --scan-plan.
--scanned-only ENDOR_CONTAINER_REGISTRY_SCANNED_ONLY boolean Show only images that have already been scanned in Endor Labs. Requires --namespace and API credentials. Cannot be used with --save-as-plan.
--exclude-scanned ENDOR_CONTAINER_REGISTRY_EXCLUDE_SCANNED boolean Exclude images that are already scanned from the output. Without this flag, already-scanned images are still skipped during scanning. The flag only affects what appears in the list output. If a tag points to a new digest, Endor Labs treats it as a new image and scans it. When saving with --save-as-plan, the saved plan always excludes scanned images regardless of this flag. Requires --namespace and API credentials.

The scan command runs Endor Labs container scans on a set of images. You can pass a saved scan plan from the list command or enumerate the registry with the same filter flags as list. The command pulls each image if needed, runs the scan, and by default removes pulled images after scanning. The --namespace and API credentials are required. Images that are already scanned are automatically skipped.

  • Scan using a saved scan plan:

    endorctl container registry scan --namespace=<namespace> --scan-plan=<path> [options]

  • Scan using a registry type. When you do not use --scan-plan, pass --registry-type.

    endorctl container registry scan --namespace=<namespace> --registry-type=<type> [options]

You can use the endorctl container registry scan command with the following flags.

Flag Environment Variable Type Description
--namespace, -n ENDOR_NAMESPACE string Endor Labs namespace for the scan and for checking current scan status.
--scan-plan ENDOR_CONTAINER_REGISTRY_SCAN_PLAN string Path to a scan plan JSON file produced by endorctl container registry list --save-as-plan. Either --registry-type or --scan-plan is required.
--show-scan-plan ENDOR_CONTAINER_REGISTRY_SHOW_SCAN_PLAN boolean Print the scan plan including registry, filters, counts, and image list before starting scans. Set to false to skip this output and start scanning immediately.
--reauth ENDOR_CONTAINER_REGISTRY_REAUTH boolean Try to refresh registry credentials if authentication fails. For ECR and ACR, this uses the AWS CLI or Azure CLI respectively to refresh credentials.
--keep-pulled-images ENDOR_CONTAINER_REGISTRY_KEEP_PULLED_IMAGES boolean Keep pulled images in the local daemon after scanning. By default, pulled images are removed to free disk space.

The endorctl container registry list and endorctl container registry scan commands support the following container registries. Use the Registry_type value for --registry-type and the Registry_host value for --registry.

Name Registry type Registry host
AWS ECR aws.ecr <account-id>.dkr.ecr.<region>.amazonaws.com
Azure ACR azure.acr <name>.azurecr.io
Docker Hub dockerhub docker.io
GitHub Container Registry ghcr ghcr.io
JFrog Artifactory artifactory https://<org>.jfrog.io
Note
You must specify the registry host with --registry when you use Azure ACR or JFrog registries.

The list and scan commands both produce output that includes summary lines and, when there are image rows, a table. The scan command shows this when --show-scan-plan is enabled.

If any image rows remain after filters, the command prints a table with the following columns:

Column Description
IMAGE Image path in tag or digest form.
DIGEST Architecture-specific image digest.
CREATED RFC3339 UTC timestamp.
UPDATED RFC3339 UTC timestamp.
MULTI-ARCH Indicates if the given container image in the registry is a multi-architecture container image represented by a manifest list.
ARCH Selected architecture when the image is multi-architecture.
LIST-DIGEST Shortened manifest list digest for multi-architecture only.

The scan plan is a JSON file written by the endorctl container registry list command with --save-as-plan and read by the scan command with --scan-plan. When list is run with --namespace and API credentials, the saved plan excludes images that are already scanned so that it is ready to scan only new or unscanned images. The structure is:

parameters:
  registry_type: string          # required
  server: string                 # optional
  namespace: string              # optional
  account: string                # optional. Used only for Docker Hub and GHCR.
  repo_key: string               # optional. Used only for JFrog.
  architecture: string           # optional
  include: string                # optional
  exclude: string                # optional
  recent: string                 # optional
  limit: integer                 # optional
  include_untagged: boolean      # optional
  include_untagged_only: boolean # optional
  validate_tag_digest: boolean   # optional
  timeout_seconds: integer      # required

counts:
  repositories: integer
  tags: integer
  untagged_manifests: integer    # optional
  matching_repositories: integer # optional
  matching_tags: integer         # optional
  matching_untagged: integer     # optional
  ignored_repositories: integer  # optional
  ignored_tags: integer          # optional
  ignored_untagged: integer      # optional
  digest_validated_tags: integer # optional
  digest_mismatch_tags: integer  # optional
  digest_lookup_errors: integer  # optional

images:                          # array
  - path: string                 # full image reference, tag or digest
    created: string
    updated: string
    multi_arch: boolean          # optional
    arch: string                 # optional
    multi_arch_digest: string    # optional

The following commands use AWS ECR to show how to list images, apply filters, save a scan plan, and run scans. Use the appropriate --registry-type, --registry, and --registry-namespace values for other registries. See supported container registries to learn more.

  • List all images in an AWS ECR registry.
endorctl container registry list --registry-type aws.ecr
  • Filter images updated in the last 7 days, include only tags matching latest, and exclude release candidate tags.
endorctl container registry list --registry-type aws.ecr --recent 7d --include '.*:latest' --exclude '.*:-rc.*'
  • Save the generated image list to a JSON scan plan file for use with the container registry scan command.
endorctl container registry list --registry-type aws.ecr --save-as-plan registry-scan-plan.json
  • List images including untagged manifests.
endorctl container registry list --registry-type aws.ecr --include-untagged
  • List only images that match a preferred architecture such as arm64 when the repository contains multi-architecture images.
endorctl container registry list --registry-type aws.ecr --architecture arm64
  • Scan images defined in a previously saved scan plan file.
endorctl container registry scan --namespace demo --registry-type=aws.ecr --reauth --scan-plan aws_ecr_scan_plan.json
Note
  • AWS ECR authenticates using the AWS SDK default credential chain, which includes environment variables, shared credential files, and IAM roles.
  • For Docker Hub, use --registry-type=dockerhub and omit --reauth because it requires access to Docker Hub credentials for automated reauthentication.
Authentication fails when listing or scanning images

  • Ensure your registry credentials are valid and that the registry type and host are correct. Use --reauth to refresh credentials when using AWS ECR or Azure ECR.

  • For Docker Hub and GHCR, verify the environment variables or log in with the registry’s CLI.

  • For Azure ACR and JFrog, verify that --registry is set.

Scan plan includes images I already scanned

  • Images that are already scanned are excluded only when you run list with --namespace and valid API credentials. Without them, the saved plan includes all matching images.

  • Re-run endorctl container registry list with --namespace and --exclude-scanned, save a new plan with --save-as-plan, then run the scan command with that plan.

How to generate a scan plan for a JFrog registry?

Run the list command with your registry details and --save-as-plan to save the enumerated images to a JSON file.

endorctl container registry list --registry-type artifactory --registry jfrog-host --registry-namespace repo-key --save-as-plan registry-scan-plan.json

Replace jfrog-host with your JFrog host and repo-key with your repository key.