Auditing events for Container Registry
Use IBM Cloud® Activity Tracker to track how users and applications interact with the IBM Cloud® Container Registry service in IBM Cloud.
The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in the IBM Cloud. For more information, see Getting started with IBM Cloud Activity Tracker and About Activity Tracker in IBM Cloud.
Locations of service events
You can track how users and applications interact with the IBM Cloud Container Registry service. The following tables list the locations where the automatic collection of Container Registry service events is enabled.
Locations in Americas | Service events available |
---|---|
Dallas (us-south) |
Yes |
Sao Paulo (br-sao) |
Yes |
Toronto (ca-tor) |
Yes |
Locations in Asia Pacific | Service events available |
---|---|
Osaka (jp-osa) |
Yes |
Sydney (au-syd) |
Yes |
Tokyo (jp-tok) |
Yes |
Locations in Europe | Service events available |
---|---|
Frankfurt (eu-de) |
Yes |
London (eu-gb) |
Yes |
Madrid (eu-es) |
Yes |
Location for Global | Service events available |
---|---|
Global |
Yes |
For more information about where to see Container Registry events, see Where to look for events.
For more information about the locations where IBM Cloud services are enabled to automatically collect events, see IBM Cloud services that generate Activity Tracker events by location.
Where to look for events
IBM Cloud Activity Tracker events
The region in which a Container Registry or a Vulnerability Advisor event is available corresponds to the region of the Container Registry that generated the event,
except for ap-south
. Events for ap-south
show in Tokyo (jp-tok)
.
The following table shows the location of IBM Cloud Activity Tracker events.
Region for your account's registry | Domain name of your registry | Location of IBM Cloud Activity Tracker events |
---|---|---|
ap-north |
jp.icr.io |
Tokyo (jp-tok) |
ap-south |
au.icr.io |
Tokyo (jp-tok) |
br-sao |
br.icr.io |
Sao Paulo (br-sao) |
ca-tor |
ca.icr.io |
Toronto (ca-tor) |
eu-central |
de.icr.io |
Frankfurt (eu-de) |
eu-es |
es.icr.io |
Madrid (eu-es) |
jp-osa |
jp2.icr.io |
Osaka (jp-osa) |
uk-south |
uk.icr.io |
London (eu-gb) |
us-south |
us.icr.io |
Dallas (us-south) |
The following table shows the location of global registry IBM Cloud Activity Tracker events.
Registry | Global registry | Location of IBM Cloud Activity Tracker events |
---|---|---|
Global |
icr.io |
Dallas (us-south) |
API methods
The following tables list the API methods that generate an event when they are called.
Actions that generate events for authorization
Action | Description | Data Event |
---|---|---|
container-registry.auth.get |
Check whether the use of public connections is prevented for image pushes or pulls in your account. | False |
container-registry.auth.set |
Prevent or allow image pulls or pushes over public network connections for your account. | False |
Actions that generate events for images
Action | Description | Data Event |
---|---|---|
container-registry.image.bulkdelete |
Delete multiple images from Container Registry. If the image is signed, the signature is deleted as well. | True |
container-registry.image.delete |
Delete an image from Container Registry. If the image is signed, the signature is deleted as well. | True |
container-registry.image.inspect |
Display details about an image. | False |
container-registry.image.list |
List the images in your IBM account. | False |
container-registry.image.pull |
Pull an image from Container Registry. | True |
container-registry.image.push |
Push an image to Container Registry. | True |
container-registry.image.tag |
Add a tag that refers to a pre-existing Container Registry image. | False |
container-registry.image.untag |
Remove a tag, or tags, from each specified image in Container Registry. | False |
container-registry.manifest.inspect |
View the contents of the manifest for an image. | False |
Actions that generate events for namespaces
Action | Description | Data Event |
---|---|---|
container-registry.namespace.create |
Create a namespace in Container Registry.
Assign a Container Registry namespace to a resource group. |
False |
container-registry.namespace.delete |
Delete a namespace from Container Registry. | False |
container-registry.namespace.list |
List the Container Registry namespaces in your IBM account. | False |
Actions that generate events for plans
Action | Description | Data Event |
---|---|---|
container-registry.plan.get |
Display information about the current pricing plan. | False |
container-registry.plan.set |
Upgrade to the standard plan. | False |
Actions that generate events for quotas
Action | Description | Data Event |
---|---|---|
container-registry.quota.get |
Display the current quotas for traffic and storage, and the usage information against those quotas. | False |
container-registry.quota.set |
Modify the quotas. Quota settings must be managed separately for your account in each registry instance. You can set quota limits for storage in your free or standard plan. | False |
Actions that generate events for retention policies
Action | Description | Data Event |
---|---|---|
container-registry.retention.analyze |
List the images that are deleted if you apply a specific retention policy. | False |
container-registry.retention.list |
List the image retention policies for your account. | False |
container-registry.retention.set |
Set a policy to retain images in a namespace in Container Registry by applying specified criteria. | False |
Actions that generate events for settings
Action | Description | Data Event |
---|---|---|
container-registry.settings.get |
Get registry service settings for the targeted account, such as whether platform metrics are enabled. | False |
container-registry.settings.set |
Update registry service settings for the targeted account, such as enabling platform metrics. | False |
Actions that generate events for signing images
Action | Description | Data Event |
---|---|---|
container-registry.signature.delete |
Delete a signature from an image in Container Registry. | True |
container-registry.signature.read |
Read a signature from an image in Container Registry. | True |
container-registry.signature.write |
Write a signature to an image in Container Registry. | True |
Actions that generate events for trash
Action | Description | Data Event |
---|---|---|
container-registry.trash.list |
Display all the images in the trash in your IBM Cloud account. | False |
container-registry.trash.restore |
Restore a deleted image from the trash. If the deleted image is signed, the signature is restored too. | False |
Actions that generate events for vulnerabilities
Action | Description | Data Event |
---|---|---|
container-registry.account-vulnerability-report.list |
View the Vulnerability Advisor reports for images in your Container Registry account.
For more information about request data, see Request data for the account vulnerability report. |
False |
container-registry.account-vulnerability-status.list |
View Vulnerability Advisor security status for images in your Container Registry account.
For more information about request data, see Request data for the account vulnerability status. |
False |
container-registry.image-vulnerability-report.read |
View the Vulnerability Advisor report for an image in Container Registry.
For more information about request and response data, see Request and response data for the vulnerability report. |
False |
container-registry.image-vulnerability-status.read |
View the Vulnerability Advisor security status for an image in Container Registry.
For more information about request and response data, see Request and response data for the vulnerability status. |
False |
Actions that generate events for exemption policies
Action | Description | Data Event |
---|---|---|
container-registry.exemption.create |
Create a Vulnerability Advisor exemption. | False |
container-registry.exemption.delete |
Delete a Vulnerability Advisor exemption. | False |
Analyzing Activity Tracker events
The following fields are populated as described, depending on how you populate the request:
-
target.name
shows the image name and, if you request an image name with a tag, a tag. If you request an image name by digest, the digest is shown instead of the tag because the digest might have many tags. -
target.id
shows the image name by digest to represent a searchable unique ID for the image, unless the request is for an image with a tag and the request fails before the digest is discovered. To see all the events for this digest across all tags, you can search bytarget.id
. -
target.resourceGroupId
shows the resource group ID that is associated with a namespace and its resources. For more information, see Set up a namespace.Earlier namespaces that aren't migrated to IAM don't have a resource group; therefore, this field is not available.
Request data for vulnerability events
Get the data for vulnerability events in Container Registry.
Request data for the account vulnerability report
Get the vulnerability assessment (container-registry.account-vulnerability-report.list
) for the list of registry images that belong to a specific account.
The following table lists the fields that are available through the requestData
field in events with the action container-registry.account-vulnerability-report.list
.
Custom Event Fields | Type | Description |
---|---|---|
requestData.RequestParameters.repository |
String | The name of the repository that you want to see image vulnerability assessments for. For example, us.icr.io/namespace/image . |
requestData.RequestParameters.includeIBM |
String | When set to true , the returned list contains IBM public images and the account images. If not set, or set to false , the list contains only the account images. |
requestData.RequestParameters.includePrivate |
String | When set to false , the returned list does not contain the private account images. If not set, or set to true , the list contains the private account images. |
For more information about the action container-registry.account-vulnerability-report.list
, see Get the vulnerability assessment for all images in the API documentation.
Request data for the account vulnerability status
Get the vulnerability assessment status (container-registry.account-vulnerability-status.list
) for the list of registry images that belong to a specific account.
The following table lists the fields that are available through the requestData
field in events with the action container-registry.account-vulnerability-status.list
.
Custom Event Fields | Type | Description |
---|---|---|
requestData.RequestParameters.repository |
String | The name of the repository that you want to see image vulnerability assessments for. For example, us.icr.io/namespace/image . |
requestData.RequestParameters.includeIBM |
String | When set to true , the returned list contains IBM public images and the account images. If not set, or set to false , the list contains only the account images. |
requestData.RequestParameters.includePrivate |
String | When set to false , the returned list does not contain the private account images. If not set, or set to true , the list contains the private account images. |
For more information about the action container-registry.account-vulnerability-status.list
, see Get vulnerability assessment status for all images in the API
documentation.
Request and response data for the vulnerability report
Get the vulnerability assessment (container-registry.image-vulnerability-report.read
) for a registry image.
The following table lists the fields that are available through the requestData
and responseData
fields in events with the action container-registry.image-vulnerability-report.read
.
Custom Event Fields | Type | Description |
---|---|---|
requestData.RequestParameters.name |
String | The name of the image. For example, us.icr.io/namespace/repository:tag .
The following constraint applies: The value must match the regular expression |
responseData.id |
String | The unique ID of the report. |
responseData.status |
String | The following values for the overall vulnerability assessment status are available:
For more information about these status codes, see Vulnerability report status codes in the API documentation. |
For more information, see Get vulnerability assessment status in the API documentation.
Request and response data for the vulnerability status
Get the overall vulnerability status (container-registry.image-vulnerability-status.read
) for a registry image.
The following table lists the fields that are available through the requestData
and responseData
fields in events with the action container-registry.image-vulnerability-status.read
.
Custom Event Fields | Type | Description |
---|---|---|
requestData.RequestParameters.name |
String | The name of the image. For example, us.icr.io/namespace/repository:tag .
The following constraint applies: The value must match the regular expression |
responseData.status |
String | The following values for the overall vulnerability assessment status are available:
For more information about these status codes, see Vulnerability report status codes in the API documentation. |
For more information, see Get vulnerability status in the API documentation.
Request data for image signing events
Get the data for events about image signing in Container Registry.
The following table lists the fields that are available through the requestData
field in events with the following actions:
container-registry.signature.delete
container-registry.signature.read
container-registry.signature.write
Custom Event Fields | Type | Description |
---|---|---|
requestData.RequestParameters.repository |
String | The name of the repository for which you want to see image signing reports. For example, us.icr.io/namespace/image . |
requestData.RequestParameters.signatureMethod |
String | Displays the technology that is used to sign the image, such as Red Hat Signing. |
requestData.RequestParameters.signatureObject |
String | Specifies the object type upon which a signing operation is performed, for example, image . |