Auditing events for Container Registry

Use IBM Cloud® Activity Tracker to track how users and applications interact with the IBM Cloud® Container Registry service in IBM Cloud.

The IBM Cloud Activity Tracker service records user-initiated activities that change the state of a service in the IBM Cloud. For more information, see Getting started with IBM Cloud Activity Tracker and About Activity Tracker in IBM Cloud.

Locations of service events

You can track how users and applications interact with the IBM Cloud Container Registry service. The following tables list the locations where the automatic collection of Container Registry service events is enabled.

Table 1. The automatic collection of Container Registry service events in Americas locations
Locations in Americas	Service events available
`Dallas (us-south)`	Yes
`Sao Paulo (br-sao)`	Yes
`Toronto (ca-tor)`	Yes

Table 2. The automatic collection of Container Registry service events in Asia Pacific locations
Locations in Asia Pacific	Service events available
`Osaka (jp-osa)`	Yes
`Sydney (au-syd)`	Yes
`Tokyo (jp-tok)`	Yes

Table 3. The automatic collection of Container Registry service events in Europe locations
Locations in Europe	Service events available
`Frankfurt (eu-de)`	Yes
`London (eu-gb)`	Yes
`Madrid (eu-es)`	Yes

Table 4. The automatic collection of Container Registry service events for Global
Location for Global	Service events available
`Global`	Yes

For more information about where to see Container Registry events, see Where to look for events.

For more information about the locations where IBM Cloud services are enabled to automatically collect events, see IBM Cloud services that generate Activity Tracker events by location.

Where to look for events

IBM Cloud Activity Tracker events

The region in which a Container Registry or a Vulnerability Advisor event is available corresponds to the region of the Container Registry that generated the event, except for ap-south. Events for ap-south show in Tokyo (jp-tok).

The following table shows the location of IBM Cloud Activity Tracker events.

Table 5. Location of IBM Cloud Activity Tracker events
Region for your account's registry	Domain name of your registry	Location of IBM Cloud Activity Tracker events
`ap-north`	`jp.icr.io`	`Tokyo (jp-tok)`
`ap-south`	`au.icr.io`	`Tokyo (jp-tok)`
`br-sao`	`br.icr.io`	`Sao Paulo (br-sao)`
`ca-tor`	`ca.icr.io`	`Toronto (ca-tor)`
`eu-central`	`de.icr.io`	`Frankfurt (eu-de)`
`eu-es`	`es.icr.io`	`Madrid (eu-es)`
`jp-osa`	`jp2.icr.io`	`Osaka (jp-osa)`
`uk-south`	`uk.icr.io`	`London (eu-gb)`
`us-south`	`us.icr.io`	`Dallas (us-south)`

The following table shows the location of global registry IBM Cloud Activity Tracker events.

Table 6. Location of global registry IBM Cloud Activity Tracker events
Registry	Global registry	Location of IBM Cloud Activity Tracker events
`Global`	`icr.io`	`Dallas (us-south)`

API methods

The following tables list the API methods that generate an event when they are called.

Actions that generate events for authorization

Table 7. Actions that generate events for your authorization
Action	Description	Data Event
`container-registry.auth.get`	Check whether the use of public connections is prevented for image pushes or pulls in your account.	False
`container-registry.auth.set`	Prevent or allow image pulls or pushes over public network connections for your account.	False

Actions that generate events for images

Table 8. Actions that generate events for images
Action	Description	Data Event
`container-registry.image.bulkdelete`	Delete multiple images from Container Registry. If the image is signed, the signature is deleted as well.	True
`container-registry.image.delete`	Delete an image from Container Registry. If the image is signed, the signature is deleted as well.	True
`container-registry.image.inspect`	Display details about an image.	False
`container-registry.image.list`	List the images in your IBM account.	False
`container-registry.image.pull`	Pull an image from Container Registry.	True
`container-registry.image.push`	Push an image to Container Registry.	True
`container-registry.image.tag`	Add a tag that refers to a pre-existing Container Registry image.	False
`container-registry.image.untag`	Remove a tag, or tags, from each specified image in Container Registry.	False
`container-registry.manifest.inspect`	View the contents of the manifest for an image.	False

Actions that generate events for namespaces

Table 9. Actions that generate events for namespaces
Action	Description	Data Event
`container-registry.namespace.create`	Create a namespace in Container Registry. Assign a Container Registry namespace to a resource group.	False
`container-registry.namespace.delete`	Delete a namespace from Container Registry.	False
`container-registry.namespace.list`	List the Container Registry namespaces in your IBM account.	False

Actions that generate events for plans

Table 10. Actions that generate events for plans
Action	Description	Data Event
`container-registry.plan.get`	Display information about the current pricing plan.	False
`container-registry.plan.set`	Upgrade to the standard plan.	False

Actions that generate events for quotas

Table 11. Actions that generate events for quotas
Action	Description	Data Event
`container-registry.quota.get`	Display the current quotas for traffic and storage, and the usage information against those quotas.	False
`container-registry.quota.set`	Modify the quotas. Quota settings must be managed separately for your account in each registry instance. You can set quota limits for storage in your free or standard plan.	False

Actions that generate events for retention policies

Table 12. Actions that generate events for retention policies
Action	Description	Data Event
`container-registry.retention.analyze`	List the images that are deleted if you apply a specific retention policy.	False
`container-registry.retention.list`	List the image retention policies for your account.	False
`container-registry.retention.set`	Set a policy to retain images in a namespace in Container Registry by applying specified criteria.	False

Actions that generate events for settings

Table 13. Actions that generate events for settings
Action	Description	Data Event
`container-registry.settings.get`	Get registry service settings for the targeted account, such as whether platform metrics are enabled.	False
`container-registry.settings.set`	Update registry service settings for the targeted account, such as enabling platform metrics.	False

Actions that generate events for signing images

Table 14. Actions that generate events for signing images
Action	Description	Data Event
`container-registry.signature.delete`	Delete a signature from an image in Container Registry.	True
`container-registry.signature.read`	Read a signature from an image in Container Registry.	True
`container-registry.signature.write`	Write a signature to an image in Container Registry.	True

Actions that generate events for trash

Table 15. Actions that generate events for trash
Action	Description	Data Event
`container-registry.trash.list`	Display all the images in the trash in your IBM Cloud account.	False
`container-registry.trash.restore`	Restore a deleted image from the trash. If the deleted image is signed, the signature is restored too.	False

Actions that generate events for vulnerabilities

Table 16. Actions that generate events for vulnerabilities
Action	Description	Data Event
`container-registry.account-vulnerability-report.list`	View the Vulnerability Advisor reports for images in your Container Registry account. For more information about request data, see Request data for the account vulnerability report.	False
`container-registry.account-vulnerability-status.list`	View Vulnerability Advisor security status for images in your Container Registry account. For more information about request data, see Request data for the account vulnerability status.	False
`container-registry.image-vulnerability-report.read`	View the Vulnerability Advisor report for an image in Container Registry. For more information about request and response data, see Request and response data for the vulnerability report.	False
`container-registry.image-vulnerability-status.read`	View the Vulnerability Advisor security status for an image in Container Registry. For more information about request and response data, see Request and response data for the vulnerability status.	False

Actions that generate events for exemption policies

Table 17. Actions that generate events for Vulnerability Advisor exemption policies
Action	Description	Data Event
`container-registry.exemption.create`	Create a Vulnerability Advisor exemption.	False
`container-registry.exemption.delete`	Delete a Vulnerability Advisor exemption.	False

Analyzing Activity Tracker events

The following fields are populated as described, depending on how you populate the request:

target.name shows the image name and, if you request an image name with a tag, a tag. If you request an image name by digest, the digest is shown instead of the tag because the digest might have many tags.
target.id shows the image name by digest to represent a searchable unique ID for the image, unless the request is for an image with a tag and the request fails before the digest is discovered. To see all the events for this digest across all tags, you can search by target.id.
target.resourceGroupId shows the resource group ID that is associated with a namespace and its resources. For more information, see Set up a namespace.

Earlier namespaces that aren't migrated to IAM don't have a resource group; therefore, this field is not available.

Request data for vulnerability events

Get the data for vulnerability events in Container Registry.

Request data for the account vulnerability report

Get the vulnerability assessment (container-registry.account-vulnerability-report.list) for the list of registry images that belong to a specific account.

The following table lists the fields that are available through the requestData field in events with the action container-registry.account-vulnerability-report.list.

Table 18. Custom event fields for Container Registry account vulnerability reports list
Custom Event Fields	Type	Description
`requestData.RequestParameters.repository`	String	The name of the repository that you want to see image vulnerability assessments for. For example, `us.icr.io/namespace/image`.
`requestData.RequestParameters.includeIBM`	String	When set to `true`, the returned list contains IBM public images and the account images. If not set, or set to `false`, the list contains only the account images.
`requestData.RequestParameters.includePrivate`	String	When set to `false`, the returned list does not contain the private account images. If not set, or set to `true`, the list contains the private account images.

For more information about the action container-registry.account-vulnerability-report.list, see Get the vulnerability assessment for all images in the API documentation.

Request data for the account vulnerability status

Get the vulnerability assessment status (container-registry.account-vulnerability-status.list) for the list of registry images that belong to a specific account.

The following table lists the fields that are available through the requestData field in events with the action container-registry.account-vulnerability-status.list.

Table 19. Custom event fields for Container Registry account vulnerability status list
Custom Event Fields	Type	Description
`requestData.RequestParameters.repository`	String	The name of the repository that you want to see image vulnerability assessments for. For example, `us.icr.io/namespace/image`.
`requestData.RequestParameters.includeIBM`	String	When set to `true`, the returned list contains IBM public images and the account images. If not set, or set to `false`, the list contains only the account images.
`requestData.RequestParameters.includePrivate`	String	When set to `false`, the returned list does not contain the private account images. If not set, or set to `true`, the list contains the private account images.

For more information about the action container-registry.account-vulnerability-status.list, see Get vulnerability assessment status for all images in the API documentation.

Request and response data for the vulnerability report

Get the vulnerability assessment (container-registry.image-vulnerability-report.read) for a registry image.

The following table lists the fields that are available through the requestData and responseData fields in events with the action container-registry.image-vulnerability-report.read.

Table 20. Custom event fields for Container Registry image vulnerability reports read
Custom Event Fields	Type	Description
`requestData.RequestParameters.name`	String	The name of the image. For example, `us.icr.io/namespace/repository:tag`. The following constraint applies: The value must match the regular expression `.*`.
`responseData.id`	String	The unique ID of the report.
`responseData.status`	String	The following values for the overall vulnerability assessment status are available: `OK` `WARN` `FAIL` `UNSUPPORTED` `INCOMPLETE` `UNSCANNED` For more information about these status codes, see Vulnerability report status codes in the API documentation.

For more information, see Get vulnerability assessment status in the API documentation.

Request and response data for the vulnerability status

Get the overall vulnerability status (container-registry.image-vulnerability-status.read) for a registry image.

The following table lists the fields that are available through the requestData and responseData fields in events with the action container-registry.image-vulnerability-status.read.

Table 21. Custom event fields for Container Registry image vulnerability status read
Custom Event Fields	Type	Description
`requestData.RequestParameters.name`	String	The name of the image. For example, `us.icr.io/namespace/repository:tag`. The following constraint applies: The value must match the regular expression `.*`.
`responseData.status`	String	The following values for the overall vulnerability assessment status are available: `OK` `WARN` `FAIL` `UNSUPPORTED` `INCOMPLETE` `UNSCANNED` For more information about these status codes, see Vulnerability report status codes in the API documentation.

For more information, see Get vulnerability status in the API documentation.

Request data for image signing events

Get the data for events about image signing in Container Registry.

The following table lists the fields that are available through the requestData field in events with the following actions:

container-registry.signature.delete
container-registry.signature.read
container-registry.signature.write

Table 22. Custom event fields for Container Registry signing
Custom Event Fields	Type	Description
`requestData.RequestParameters.repository`	String	The name of the repository for which you want to see image signing reports. For example, `us.icr.io/namespace/image`.
`requestData.RequestParameters.signatureMethod`	String	Displays the technology that is used to sign the image, such as Red Hat Signing.
`requestData.RequestParameters.signatureObject`	String	Specifies the object type upon which a signing operation is performed, for example, `image`.