Registry Scanning
Redactyl can scan container images directly from registries without pulling them to disk.
Basic Usage
Section titled “Basic Usage”# Scan from Docker Hubredactyl scan --image nginx:latest
# Scan from private registryredactyl scan --image gcr.io/myproject/myapp:v1.0
# Scan multiple imagesredactyl scan --image myapp:v1 --image myapp:v2Supported Registries
Section titled “Supported Registries”Redactyl supports all OCI-compliant registries:
- Docker Hub -
docker.io/library/nginx - Google Container Registry -
gcr.io/project/image - Google Artifact Registry -
us-docker.pkg.dev/project/repo/image - Amazon ECR -
123456789.dkr.ecr.us-east-1.amazonaws.com/image - Azure Container Registry -
myregistry.azurecr.io/image - GitHub Container Registry -
ghcr.io/owner/image - Self-hosted - Any OCI-compliant registry
Authentication
Section titled “Authentication”Docker Hub
Section titled “Docker Hub”# Login firstdocker login
# Redactyl uses Docker's credential storeredactyl scan --image myuser/private-image:latestGoogle Cloud (GCR/Artifact Registry)
Section titled “Google Cloud (GCR/Artifact Registry)”# Using gcloudgcloud auth configure-docker
# Or with service accountexport GOOGLE_APPLICATION_CREDENTIALS=/path/to/key.jsonredactyl scan --image gcr.io/myproject/myapp:latestAmazon ECR
Section titled “Amazon ECR”# Using AWS CLIaws ecr get-login-password | docker login --username AWS --password-stdin 123456789.dkr.ecr.us-east-1.amazonaws.com
# Or with environment variablesexport AWS_ACCESS_KEY_ID=...export AWS_SECRET_ACCESS_KEY=...redactyl scan --image 123456789.dkr.ecr.us-east-1.amazonaws.com/myapp:latestAzure ACR
Section titled “Azure ACR”# Using Azure CLIaz acr login --name myregistry
redactyl scan --image myregistry.azurecr.io/myapp:latestGeneric Credentials
Section titled “Generic Credentials”# Environment variablesexport REGISTRY_USERNAME=myuserexport REGISTRY_PASSWORD=mytoken
redactyl scan --image registry.example.com/myapp:latestStreaming Architecture
Section titled “Streaming Architecture”Redactyl streams image layers directly from the registry:
- Fetches image manifest
- Streams each layer sequentially
- Scans content in memory
- No disk extraction required
Benefits:
- Fast scanning of large images
- Low memory footprint
- No cleanup required
- Works in ephemeral CI environments
Layer Selection
Section titled “Layer Selection”By default, all layers are scanned. You can limit this:
# Scan only the last N layersredactyl scan --image myapp:latest --layers 3
# Scan specific layers by digestredactyl scan --image myapp:latest --layer sha256:abc123Platform Selection
Section titled “Platform Selection”For multi-arch images:
# Scan specific platformredactyl scan --image myapp:latest --platform linux/amd64
# Scan all platformsredactyl scan --image myapp:latest --all-platformsCI/CD Integration
Section titled “CI/CD Integration”GitHub Actions
Section titled “GitHub Actions”- name: Scan container image run: | redactyl scan --image ${{ env.IMAGE_NAME }}:${{ github.sha }} \ --sarif > redactyl.sarif.json
- name: Upload SARIF uses: github/codeql-action/upload-sarif@v2 with: sarif_file: redactyl.sarif.jsonGitLab CI
Section titled “GitLab CI”scan-image: script: - redactyl scan --image $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA --json > findings.json artifacts: paths: - findings.jsonCaching
Section titled “Caching”For repeated scans, enable layer caching:
# Enable cacheredactyl scan --image myapp:latest --cache
# Set cache directoryexport REDACTYL_CACHE_DIR=/tmp/redactyl-cacheRate Limiting
Section titled “Rate Limiting”Registries may rate limit requests. Redactyl handles this automatically with exponential backoff. For high-volume scanning:
# Add delay between layer fetchesredactyl scan --image myapp:latest --rate-limit 100msTroubleshooting
Section titled “Troubleshooting”Authentication Errors
Section titled “Authentication Errors”# Debug auth issuesredactyl scan --image myapp:latest --debug
# Check credentialsdocker pull myapp:latest # Verify Docker can pullTimeout Errors
Section titled “Timeout Errors”# Increase timeout for slow registriesredactyl scan --image myapp:latest --timeout 5mNetwork Errors
Section titled “Network Errors”# Use proxyexport HTTPS_PROXY=http://proxy.example.com:8080redactyl scan --image myapp:latest