feat(image): add image provider to UI (#10167)

Co-authored-by: alejandrobailo <alejandrobailo94@gmail.com>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>
Co-authored-by: Alejandro Bailo <59607668+alejandrobailo@users.noreply.github.com>

Author: 3 people

prowler/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler SDK** are documented in this file.
 
 ### 🚀 Added
 
+- `misconfig` scanner as default for Image provider scans [(#10167)](https://github.com/prowler-cloud/prowler/pull/10167)
 - `entra_conditional_access_policy_device_code_flow_blocked` check for M365 provider [(#10218)](https://github.com/prowler-cloud/prowler/pull/10218)
 - CheckMetadata Pydantic validators [(#8584)](https://github.com/prowler-cloud/prowler/pull/8583)
 - `entra_conditional_access_policy_require_mfa_for_admin_portals` check for Azure provider and update CIS compliance [(#10330)](https://github.com/prowler-cloud/prowler/pull/10330)

prowler/providers/image/image_provider.py

@@ -5,6 +5,7 @@
 import re
 import subprocess
 import sys
+import tempfile
 from typing import Generator
 
 from alive_progress import alive_bar
@@ -88,7 +89,9 @@ def __init__(
 
         self.images = images if images is not None else []
         self.image_list_file = image_list_file
-        self.scanners = scanners if scanners is not None else ["vuln", "secret"]
+        self.scanners = (
+            scanners if scanners is not None else ["vuln", "secret", "misconfig"]
+        )
         self.image_config_scanners = (
             image_config_scanners if image_config_scanners is not None else []
         )
@@ -100,6 +103,10 @@ def __init__(
         self._session = None
         self._identity = "prowler"
         self._listing_only = False
+        self._trivy_cache_dir_obj = tempfile.TemporaryDirectory(
+            prefix="prowler-trivy-cache-"
+        )
+        self._trivy_cache_dir = self._trivy_cache_dir_obj.name
 
         # Registry authentication (follows IaC pattern: explicit params, env vars internal)
         self.registry_username = registry_username or os.environ.get(
@@ -329,9 +336,15 @@ def _extract_registry(image: str) -> str | None:
     def _is_registry_url(image_uid: str) -> bool:
         """Determine whether an image UID is a registry URL (namespace only).
 
-        A registry URL like ``docker.io/andoniaf`` has a registry host but
-        the remaining part contains no ``/`` (no repo) and no ``:`` (no tag).
+        Bare hostnames like "714274078102.dkr.ecr.eu-west-1.amazonaws.com"
+        or "myregistry.com:5000" are registry URLs (dots in host, no slash).
+        Image references like "alpine:3.18" or "nginx" are not.
         """
+        if "/" not in image_uid:
+            host_part = image_uid.split(":")[0]
+            if "." in host_part:
+                return True
+
         registry_host = ImageProvider._extract_registry(image_uid)
         if not registry_host:
             return False
@@ -340,6 +353,8 @@ def _is_registry_url(image_uid: str) -> bool:
 
     def cleanup(self) -> None:
         """Clean up any resources after scanning."""
+        if hasattr(self, "_trivy_cache_dir_obj"):
+            self._trivy_cache_dir_obj.cleanup()
 
     def _process_finding(
         self,
@@ -540,6 +555,8 @@ def _scan_single_image(
             trivy_command = [
                 "trivy",
                 "image",
+                "--cache-dir",
+                self._trivy_cache_dir,
                 "--format",
                 "json",
                 "--scanners",
@@ -928,6 +945,9 @@ def test_connection(
         Uses registry HTTP APIs directly instead of Trivy to avoid false
         failures caused by Trivy DB download issues.
 
+        For bare registry hostnames (e.g. ECR URLs passed by the API as provider_uid),
+        uses the OCI catalog endpoint instead of trivy image.
+
         Args:
             image: Container image or registry URL to test
             raise_on_exception: Whether to raise exceptions
@@ -946,32 +966,34 @@ def test_connection(
             if not image:
                 return Connection(is_connected=False, error="Image name is required")
 
+            # Registry URL (bare hostname) → test via OCI catalog
             if ImageProvider._is_registry_url(image):
-                # Registry enumeration mode — test by listing repositories
-                adapter = create_registry_adapter(
+                return ImageProvider._test_registry_connection(
                     registry_url=image,
-                    username=registry_username,
-                    password=registry_password,
-                    token=registry_token,
+                    registry_username=registry_username,
+                    registry_password=registry_password,
+                    registry_token=registry_token,
                 )
-                adapter.list_repositories()
-                return Connection(is_connected=True)
 
-            # Image reference mode — verify the specific tag exists
+            # Image reference → verify tag exists via registry API
             registry_host = ImageProvider._extract_registry(image)
-            repo_and_tag = image[len(registry_host) + 1 :] if registry_host else image
-            if ":" in repo_and_tag:
-                repository, tag = repo_and_tag.rsplit(":", 1)
-            else:
-                repository = repo_and_tag
-                tag = "latest"
-
-            is_dockerhub = not registry_host or registry_host in (
+            is_dockerhub = registry_host is None or registry_host in (
                 "docker.io",
                 "registry-1.docker.io",
             )
 
-            # Docker Hub official images use "library/" prefix
+            # Parse repository and tag from the image reference
+            ref = image.rsplit("@", 1)[0] if "@" in image else image
+            last_segment = ref.split("/")[-1]
+            if ":" in last_segment:
+                tag = last_segment.split(":")[-1]
+                base = ref[: -(len(tag) + 1)]
+            else:
+                tag = "latest"
+                base = ref
+
+            repository = base[len(registry_host) + 1 :] if registry_host else base
+
             if is_dockerhub and "/" not in repository:
                 repository = f"library/{repository}"
 
@@ -1013,3 +1035,37 @@ def test_connection(
                 is_connected=False,
                 error=f"Unexpected error: {str(error)}",
             )
+
+    @staticmethod
+    def _test_registry_connection(
+        registry_url: str,
+        registry_username: str | None = None,
+        registry_password: str | None = None,
+        registry_token: str | None = None,
+    ) -> "Connection":
+        """Test connection to a registry URL by listing repositories via OCI catalog."""
+        try:
+            adapter = create_registry_adapter(
+                registry_url=registry_url,
+                username=registry_username,
+                password=registry_password,
+                token=registry_token,
+            )
+            adapter.list_repositories()
+            return Connection(is_connected=True)
+        except Exception as error:
+            error_str = str(error).lower()
+            if "401" in error_str or "unauthorized" in error_str:
+                return Connection(
+                    is_connected=False,
+                    error="Authentication failed. Check registry credentials.",
+                )
+            elif "404" in error_str or "not found" in error_str:
+                return Connection(
+                    is_connected=False,
+                    error="Registry catalog not found.",
+                )
+            return Connection(
+                is_connected=False,
+                error=f"Failed to connect to registry: {str(error)[:200]}",
+            )

prowler/providers/image/lib/arguments/arguments.py

@@ -50,9 +50,9 @@ def init_parser(self):
         "--scanner",
         dest="scanners",
         nargs="+",
-        default=["vuln", "secret"],
+        default=["vuln", "secret", "misconfig"],
         choices=SCANNERS_CHOICES,
-        help="Trivy scanners to use. Default: vuln, secret. Available: vuln, secret, misconfig, license",
+        help="Trivy scanners to use. Default: vuln, secret, misconfig. Available: vuln, secret, misconfig, license",
     )
 
     scan_config_group.add_argument(

tests/providers/image/image_provider_test.py

@@ -53,7 +53,7 @@ def test_image_provider(self):
         assert provider._type == "image"
         assert provider.type == "image"
         assert provider.images == ["alpine:3.18"]
-        assert provider.scanners == ["vuln", "secret"]
+        assert provider.scanners == ["vuln", "secret", "misconfig"]
         assert provider.image_config_scanners == []
         assert provider.trivy_severity == []
         assert provider.ignore_unfixed is False
@@ -698,8 +698,118 @@ def test_bare_image_name(self):
 
 
 class TestIsRegistryUrl:
-    def test_registry_url_with_namespace(self):
-        assert ImageProvider._is_registry_url("docker.io/andoniaf") is True
+    def test_bare_ecr_hostname(self):
+        assert ImageProvider._is_registry_url(
+            "714274078102.dkr.ecr.eu-west-1.amazonaws.com"
+        )
+
+    def test_bare_hostname_with_port(self):
+        assert ImageProvider._is_registry_url("myregistry.com:5000")
+
+    def test_bare_ghcr(self):
+        assert ImageProvider._is_registry_url("ghcr.io")
+
+    def test_registry_with_namespace_only(self):
+        """Registry URL with a single path segment (no tag) is a registry URL."""
+        assert ImageProvider._is_registry_url("ghcr.io/myorg")
+
+    def test_image_reference_not_registry(self):
+        """Full image reference with repo and tag is not a registry URL."""
+        assert not ImageProvider._is_registry_url("ghcr.io/myorg/repo:tag")
+
+    def test_simple_image_name(self):
+        assert not ImageProvider._is_registry_url("alpine:3.18")
+
+    def test_bare_image_no_tag(self):
+        assert not ImageProvider._is_registry_url("nginx")
+
+    def test_dockerhub_namespace(self):
+        assert not ImageProvider._is_registry_url("library/alpine")
+
+
+class TestTestRegistryConnection:
+    @patch("prowler.providers.image.image_provider.create_registry_adapter")
+    def test_registry_connection_success(self, mock_factory):
+        """Test that a bare hostname triggers registry catalog test."""
+        mock_adapter = MagicMock()
+        mock_adapter.list_repositories.return_value = ["repo1"]
+        mock_factory.return_value = mock_adapter
+
+        result = ImageProvider.test_connection(
+            image="714274078102.dkr.ecr.eu-west-1.amazonaws.com",
+            registry_username="user",
+            registry_password="pass",
+        )
+
+        assert result.is_connected is True
+        mock_factory.assert_called_once_with(
+            registry_url="714274078102.dkr.ecr.eu-west-1.amazonaws.com",
+            username="user",
+            password="pass",
+            token=None,
+        )
+        mock_adapter.list_repositories.assert_called_once()
+
+    @patch("prowler.providers.image.image_provider.create_registry_adapter")
+    def test_registry_connection_auth_failure(self, mock_factory):
+        """Test that 401 from registry adapter returns auth failure."""
+        mock_adapter = MagicMock()
+        mock_adapter.list_repositories.side_effect = Exception("401 unauthorized")
+        mock_factory.return_value = mock_adapter
+
+        result = ImageProvider.test_connection(
+            image="714274078102.dkr.ecr.eu-west-1.amazonaws.com",
+        )
+
+        assert result.is_connected is False
+        assert "Authentication failed" in result.error
+
+    @patch("prowler.providers.image.image_provider.create_registry_adapter")
+    def test_registry_connection_generic_error(self, mock_factory):
+        """Test that a generic error from registry adapter returns error message."""
+        mock_adapter = MagicMock()
+        mock_adapter.list_repositories.side_effect = Exception("connection refused")
+        mock_factory.return_value = mock_adapter
+
+        result = ImageProvider.test_connection(
+            image="myregistry.example.com",
+        )
+
+        assert result.is_connected is False
+        assert "Failed to connect to registry" in result.error
+
+    @patch("prowler.providers.image.image_provider.create_registry_adapter")
+    def test_image_reference_uses_registry_adapter(self, mock_factory):
+        """Test that a full image reference uses registry adapter to verify tag."""
+        mock_adapter = MagicMock()
+        mock_adapter.list_tags.return_value = ["3.18", "latest"]
+        mock_factory.return_value = mock_adapter
+
+        result = ImageProvider.test_connection(image="alpine:3.18")
+
+        assert result.is_connected is True
+        mock_adapter.list_tags.assert_called_once()
+
+
+class TestTrivyAuthIntegration:
+    @patch("subprocess.run")
+    def test_run_scan_passes_trivy_env_with_credentials(self, mock_subprocess):
+        """Test that run_scan() passes TRIVY_USERNAME/PASSWORD via env when credentials are set."""
+        mock_subprocess.return_value = MagicMock(
+            returncode=0, stdout=get_sample_trivy_json_output(), stderr=""
+        )
+        provider = _make_provider(
+            images=["ghcr.io/user/image:tag"],
+            registry_username="myuser",
+            registry_password="mypass",
+        )
+
+        list(provider.run_scan())
+
+        call_kwargs = mock_subprocess.call_args
+        env = call_kwargs.kwargs.get("env") or call_kwargs[1].get("env")
+        assert env["TRIVY_USERNAME"] == "myuser"
+        assert env["TRIVY_PASSWORD"] == "mypass"
 
     def test_registry_url_ghcr(self):
         assert ImageProvider._is_registry_url("ghcr.io/org") is True
@@ -734,6 +844,16 @@ def test_cleanup_idempotent(self):
         provider.cleanup()
         provider.cleanup()
 
+    def test_cleanup_removes_trivy_cache_dir(self):
+        """Test that cleanup removes the temporary Trivy cache directory."""
+        provider = _make_provider()
+        cache_dir = provider._trivy_cache_dir
+        assert os.path.isdir(cache_dir)
+
+        provider.cleanup()
+
+        assert not os.path.isdir(cache_dir)
+
 
 class TestImageProviderInputValidation:
     def test_invalid_timeout_format_raises_error(self):
@@ -804,6 +924,22 @@ def test_invalid_image_config_scanner_raises_error(self):
         with pytest.raises(ImageInvalidConfigScannerError):
             _make_provider(image_config_scanners=["misconfig", "vuln"])
 
+    @patch("subprocess.run")
+    def test_trivy_command_includes_cache_dir(self, mock_subprocess):
+        """Test that Trivy command includes --cache-dir for cache isolation."""
+        provider = _make_provider()
+        mock_subprocess.return_value = MagicMock(
+            returncode=0, stdout=get_empty_trivy_output(), stderr=""
+        )
+
+        for _ in provider._scan_single_image("alpine:3.18"):
+            pass
+
+        call_args = mock_subprocess.call_args[0][0]
+        assert "--cache-dir" in call_args
+        idx = call_args.index("--cache-dir")
+        assert call_args[idx + 1] == provider._trivy_cache_dir
+
     @patch("subprocess.run")
     def test_trivy_command_includes_image_config_scanners(self, mock_subprocess):
         """Test that Trivy command includes --image-config-scanners when set."""

ui/CHANGELOG.md

@@ -6,6 +6,7 @@ All notable changes to the **Prowler UI** are documented in this file.
 
 ### 🚀 Added
 
+- Image (Container Registry) provider support in UI: badge icon, credentials form, and provider-type filtering [(#10167)](https://github.com/prowler-cloud/prowler/pull/10167)
 - Organization and organizational unit row actions (Edit Name, Update Credentials, Test Connections, Delete) in providers table dropdown [(#10317)](https://github.com/prowler-cloud/prowler/pull/10317)
 - Events tab in Findings and Resource detail cards showing an AWS CloudTrail timeline with expandable event rows, actor info, request/response JSON payloads, and error details [(#10320)](https://github.com/prowler-cloud/prowler/pull/10320)
 

ui/app/(prowler)/_overview/_components/accounts-selector.tsx

@@ -11,6 +11,7 @@ import {
   GCPProviderBadge,
   GitHubProviderBadge,
   IacProviderBadge,
+  ImageProviderBadge,
   KS8ProviderBadge,
   M365ProviderBadge,
   MongoDBAtlasProviderBadge,
@@ -35,6 +36,7 @@ const PROVIDER_ICON: Record<ProviderType, ReactNode> = {
   m365: <M365ProviderBadge width={18} height={18} />,
   github: <GitHubProviderBadge width={18} height={18} />,
   iac: <IacProviderBadge width={18} height={18} />,
+  image: <ImageProviderBadge width={18} height={18} />,
   oraclecloud: <OracleCloudProviderBadge width={18} height={18} />,
   mongodbatlas: <MongoDBAtlasProviderBadge width={18} height={18} />,
   alibabacloud: <AlibabaCloudProviderBadge width={18} height={18} />,