A container registry is a centralized service that stores and distributes your container images. Endor Labs lets you scan images directly from your registry, giving you full visibility into the security posture of your containerized workloads at scale. You can discover images across repositories, control the scope of your scans, avoid redundant work by skipping images that are already scanned, and run consistent scans over time using saved scan plans.
A scan plan is a JSON file that defines the set of container images to scan, along with the registry and filters used to select them. It acts as a predefined template for selecting container images and can be verified and tested ahead of time before the actual registry scan runs. Once saved, the scan plan can be reused to scan the exact same set of images without querying the registry again, making recurring or batch scans consistent and easier to share across runs or environments.
With registry scanning, you can list all repositories and tags, or a filtered subset, in a registry without manually specifying each image. You can save an enumerated image list as a scan plan and reuse it later so the same set of images is scanned without re-querying the registry each time.
Endor Labs supports the following container registries:
- AWS ECR
- Azure ACR
- Docker Hub
- GitHub Container Registry (GHCR)
- JFrog Artifactory
Use the endorctl container registry commands to list and scan images stored in your registry.
-
List images from a registry: Use
endorctl container registry listto preview which images match your filters before scanning. This lets you verify the scope and adjust filtering parameters such as--include,--exclude,--recent, and--limit. You can also save the results as a scan plan for the scan step. -
Scan images from a registry: Use
endorctl container registry scanto enumerate and scan container images from a registry in a single step. You can also provide a saved scan plan from the list command instead of enumerating the registry again.
Use a scan plan when you want to review the list of images before scanning. The scan plans make it easier to reuse these pre-qualified combinations of scanned parameters and ensure consistent results.
List command
The list command connects to your registry, enumerates container images based on your configured filters, and prints a summary with a table of image paths. You can also save the results as a scan plan to reuse with the scan command.
endorctl container registry list --registry-type=<type> [options]
You can apply filters such as include, exclude, recent, and limit to narrow down the images returned. If you provide a namespace and API credentials, the saved plan automatically excludes already scanned images, so it is ready to scan only new or updated images.
Filters are applied in the following order:
- include
- exclude
- recent
- limit
You can use the endorctl container registry list command with the following flags.
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
--registry-type |
ENDOR_CONTAINER_REGISTRY_REGISTRY_TYPE |
string | Container registry type. See supported container registries for the registries and their corresponding values. |
--registry |
ENDOR_CONTAINER_REGISTRY_REGISTRY |
string | Registry server or host. See the supported container registries table for example formats. Required for Azure ACR and JFrog. |
--registry-namespace |
ENDOR_CONTAINER_REGISTRY_REGISTRY_NAMESPACE |
string | The namespace or scope to list within. This flag is optional and is commonly used for the Docker Hub, GHCR, and JFrog Artifactory registries. For Docker Hub or GHCR, it is the organization or user name and for JFrog, it is the repository key. |
--include |
ENDOR_CONTAINER_REGISTRY_INCLUDE |
string | Regex to include repositories or tags. Matches the repository name without the registry server or domain, the full repository and tag, or the digest. If not set, all repositories and their tags are included. |
--exclude |
ENDOR_CONTAINER_REGISTRY_EXCLUDE |
string | Regex to exclude a subset of container image names by repository or by repository and tag. For example, --exclude='test-repo' excludes all tags in repositories matching test-repo, and --exclude='myapp:latest' excludes only the latest tag in repositories matching myapp. |
--recent |
ENDOR_CONTAINER_REGISTRY_RECENT |
string | Include only images updated within the given recent time window. Use a duration string such as 24h, 7d, or 2d7h. Applied after include and exclude. |
--limit |
ENDOR_CONTAINER_REGISTRY_LIMIT |
integer | Limit the number of images in the result after all filters are applied. |
--include-untagged |
ENDOR_CONTAINER_REGISTRY_INCLUDE_UNTAGGED |
boolean | Include untagged manifests when the registry type supports them. |
--include-untagged-only |
ENDOR_CONTAINER_REGISTRY_INCLUDE_UNTAGGED_ONLY |
boolean | Consider only untagged container images. Use this only when the registry type supports untagged container images. |
--validate-tag-digest |
ENDOR_CONTAINER_REGISTRY_VALIDATE_TAG_DIGEST |
boolean | Resolve and confirm digest through a registry HEAD request for each tag. |
--architecture |
ENDOR_CONTAINER_REGISTRY_ARCHITECTURE |
string | Preferred architecture for multi-architecture images, for example, amd64, arm64, or linux/arm64. |
--timeout |
ENDOR_CONTAINER_REGISTRY_TIMEOUT |
string | Command timeout duration, such as 30s, 1m, or 5m. Default is 30s. |
--project-prefix |
ENDOR_CONTAINER_REGISTRY_PROJECT_PREFIX |
string | Optional prefix for project names derived from repository path. Without a prefix, the project name uses the container image repository path. |
--save-as-plan |
ENDOR_CONTAINER_REGISTRY_SAVE_AS_PLAN |
string | Write the list output as a scan plan JSON file to use with endorctl container registry scan --scan-plan. |
--scanned-only |
ENDOR_CONTAINER_REGISTRY_SCANNED_ONLY |
boolean | Show only images that have already been scanned in Endor Labs. Requires --namespace and API credentials. Cannot be used with --save-as-plan. |
--exclude-scanned |
ENDOR_CONTAINER_REGISTRY_EXCLUDE_SCANNED |
boolean | Exclude images that are already scanned from the output. Without this flag, already-scanned images are still skipped during scanning. The flag only affects what appears in the list output. If a tag points to a new digest, Endor Labs treats it as a new image and scans it. When saving with --save-as-plan, the saved plan always excludes scanned images regardless of this flag. Requires --namespace and API credentials. |
Scan command
The scan command runs Endor Labs container scans on a set of images. You can pass a saved scan plan from the list command or enumerate the registry with the same filter flags as list. The command pulls each image if needed, runs the scan, and by default removes pulled images after scanning. The --namespace and API credentials are required. Images that are already scanned are automatically skipped.
-
Scan using a saved scan plan:
endorctl container registry scan --namespace=<namespace> --scan-plan=<path> [options] -
Scan using a registry type. When you do not use
--scan-plan, pass--registry-type.endorctl container registry scan --namespace=<namespace> --registry-type=<type> [options]
You can use the endorctl container registry scan command with the following flags.
| Flag | Environment Variable | Type | Description |
|---|---|---|---|
--namespace, -n |
ENDOR_NAMESPACE |
string | Endor Labs namespace for the scan and for checking current scan status. |
--scan-plan |
ENDOR_CONTAINER_REGISTRY_SCAN_PLAN |
string | Path to a scan plan JSON file produced by endorctl container registry list --save-as-plan. Either --registry-type or --scan-plan is required. |
--show-scan-plan |
ENDOR_CONTAINER_REGISTRY_SHOW_SCAN_PLAN |
boolean | Print the scan plan including registry, filters, counts, and image list before starting scans. Set to false to skip this output and start scanning immediately. |
--reauth |
ENDOR_CONTAINER_REGISTRY_REAUTH |
boolean | Try to refresh registry credentials if authentication fails. For ECR and ACR, this uses the AWS CLI or Azure CLI respectively to refresh credentials. |
--keep-pulled-images |
ENDOR_CONTAINER_REGISTRY_KEEP_PULLED_IMAGES |
boolean | Keep pulled images in the local daemon after scanning. By default, pulled images are removed to free disk space. |
Supported container registries
The endorctl container registry list and endorctl container registry scan commands support the following container registries. Use the Registry_type value for --registry-type and the Registry_host value for --registry.
| Name | Registry type | Registry host |
|---|---|---|
| AWS ECR | aws.ecr |
<account-id>.dkr.ecr.<region>.amazonaws.com |
| Azure ACR | azure.acr |
<name>.azurecr.io |
| Docker Hub | dockerhub |
docker.io |
| GitHub Container Registry | ghcr |
ghcr.io |
| JFrog Artifactory | artifactory |
https://<org>.jfrog.io |
--registry when you use Azure ACR or JFrog registries.
Output format
The list and scan commands both produce output that includes summary lines and, when there are image rows, a table. The scan command shows this when --show-scan-plan is enabled.
If any image rows remain after filters, the command prints a table with the following columns:
| Column | Description |
|---|---|
| IMAGE | Image path in tag or digest form. |
| DIGEST | Architecture-specific image digest. |
| CREATED | RFC3339 UTC timestamp. |
| UPDATED | RFC3339 UTC timestamp. |
| MULTI-ARCH | Indicates if the given container image in the registry is a multi-architecture container image represented by a manifest list. |
| ARCH | Selected architecture when the image is multi-architecture. |
| LIST-DIGEST | Shortened manifest list digest for multi-architecture only. |
Scan plan output
The scan plan is a JSON file written by the endorctl container registry list command with --save-as-plan and read by the scan command with --scan-plan. When list is run with --namespace and API credentials, the saved plan excludes images that are already scanned so that it is ready to scan only new or unscanned images. The structure is:
parameters:
registry_type: string # required
server: string # optional
namespace: string # optional
account: string # optional. Used only for Docker Hub and GHCR.
repo_key: string # optional. Used only for JFrog.
architecture: string # optional
include: string # optional
exclude: string # optional
recent: string # optional
limit: integer # optional
include_untagged: boolean # optional
include_untagged_only: boolean # optional
validate_tag_digest: boolean # optional
timeout_seconds: integer # required
counts:
repositories: integer
tags: integer
untagged_manifests: integer # optional
matching_repositories: integer # optional
matching_tags: integer # optional
matching_untagged: integer # optional
ignored_repositories: integer # optional
ignored_tags: integer # optional
ignored_untagged: integer # optional
digest_validated_tags: integer # optional
digest_mismatch_tags: integer # optional
digest_lookup_errors: integer # optional
images: # array
- path: string # full image reference, tag or digest
created: string
updated: string
multi_arch: boolean # optional
arch: string # optional
multi_arch_digest: string # optional
Container registry scanning with AWS ECR
The following commands use AWS ECR to show how to list images, apply filters, save a scan plan, and run scans. Use the appropriate --registry-type, --registry, and --registry-namespace values for other registries. See supported container registries to learn more.
- List all images in an AWS ECR registry.
endorctl container registry list --registry-type aws.ecr
- Filter images updated in the last 7 days, include only tags matching
latest, and exclude release candidate tags.
endorctl container registry list --registry-type aws.ecr --recent 7d --include '.*:latest' --exclude '.*:-rc.*'
- Save the generated image list to a JSON scan plan file for use with the
container registry scancommand.
endorctl container registry list --registry-type aws.ecr --save-as-plan registry-scan-plan.json
- List images including untagged manifests.
endorctl container registry list --registry-type aws.ecr --include-untagged
- List only images that match a preferred architecture such as
arm64when the repository contains multi-architecture images.
endorctl container registry list --registry-type aws.ecr --architecture arm64
- Scan images defined in a previously saved scan plan file.
endorctl container registry scan --namespace demo --registry-type=aws.ecr --reauth --scan-plan aws_ecr_scan_plan.json
- AWS ECR authenticates using the AWS SDK default credential chain, which includes environment variables, shared credential files, and IAM roles.
- For Docker Hub, use
--registry-type=dockerhuband omit--reauthbecause it requires access to Docker Hub credentials for automated reauthentication.
Troubleshooting
Authentication fails when listing or scanning images
-
Ensure your registry credentials are valid and that the registry type and host are correct. Use
--reauthto refresh credentials when using AWS ECR or Azure ECR. -
For Docker Hub and GHCR, verify the environment variables or log in with the registry’s CLI.
-
For Azure ACR and JFrog, verify that
--registryis set.
Scan plan includes images I already scanned
-
Images that are already scanned are excluded only when you run list with
--namespaceand valid API credentials. Without them, the saved plan includes all matching images. -
Re-run
endorctl container registry listwith--namespaceand--exclude-scanned, save a new plan with--save-as-plan, then run the scan command with that plan.
How to generate a scan plan for a JFrog registry?
Run the list command with your registry details and --save-as-plan to save the enumerated images to a JSON file.
endorctl container registry list --registry-type artifactory --registry jfrog-host --registry-namespace repo-key --save-as-plan registry-scan-plan.json
Replace jfrog-host with your JFrog host and repo-key with your repository key.