Oracle Cloud Infrastructure Documentation

Creating a Container Image Target

Create a container image scan target.

Before you create a container image target, review the following information:

  • To create a container image target, complete the following steps:

    1. Open the navigation menu and click Identity & Security. Under Scanning, click Targets.
    2. Select the compartment in which you want to create the target.
      Note

      The repositories that you assign to this target can be in a different compartment than the target.
    3. Click the Container image tab.
    4. Click Create.
    5. Enter a name and description for the target.

      Avoid entering confidential information.

    6. Select a scan recipe for the target.
    7. Under Repositories, select the compartment that contains the Container Registry repositories that you want to scan.
    8. Choose repositories for this target.
      • All repositories in the selected target compartment and its subcompartments
      • Selected repositories in the selected target compartment- Select individual repositories.

      You can't create a target with a repository that's already specified in another target.

    9. (Optional) Click Show advanced options to assign tags to the target.

      If you have permissions to create a resource, you also have permissions to add free-form tags to that resource.

      To add a defined tag, you must have permissions to use the tag namespace.

      For more information about tagging, see Resource Tags. If you're not sure if you should add tags, skip this option or ask your administrator. You can add tags later.

    10. Save the target by using one of the following methods:
      • Click Create target to create the recipe in Vulnerability Scanning.
      • Click Save as stack to manage the stack through the Resource Manager service. On the Save as stack window, complete the fields, and then click Save. For more information about stacks, see Managing Stacks.

    After creating a target, Vulnerability Scanning checks the images in the selected repositories for security vulnerabilities. You can view the results of these scans in the following reports:

    You can also use Cloud Guard to view the results of the scans. See Scanning with Cloud Guard.

  • Use the oci vulnerability-scanning container scan target create command and required parameters to create a new container scan target:

    oci vulnerability-scanning container scan target create --display-name <name> --compartment-id <create_in_compartment_ocid> --container-scan-recipe-id <recipe_ocid> --target-registry '{"type": "OCIR", "url": "https://<region_key>.ocir.io", "compartmentId": "<repository_compartment_ocid>", "repositories": ["<repository_name>"]}'

    • <region_key> is the key for the Container Registry region that you're using. See Availability by Region.

    • For repositories, you can provide a list of repository names. If repositories isn’t specified, then all repositories in the compartment are scanned.

    For example:

    oci vulnerability-scanning container scan target create --display-name "MyTarget" --compartment-id ocid1.compartment.oc1..exampleuniqueID --container-scan-recipe-id ocid1.vsscontainerscanrecipe.oc1..exampleuniqueID --target-registry '{"type": "OCIR", "url": "https://syd.ocir.io", "compartmentId": "ocid1.compartment.oc1..exampleuniqueID", "repositories": ["myrepo"]}'

    For a complete list of flags and variable options for CLI commands, see the Command Line Reference.

  • Run the CreateContainerScanTarget operation to create a new container scan target.