Required IAM Policy for Image Scanning Recipes

To use Oracle Cloud Infrastructure, you must be granted the required type of access in a policy (IAM)  written by an administrator, whether you're using the Console or the REST API with an SDK, CLI, or other tool.

Tip

If you try to perform an action and get a message that you don’t have permission or are unauthorized, confirm with your administrator the type of access you were granted and which compartment  you’re supposed to work in.

For example, to allow users in the group SecurityAdmins to create, update, and delete all Vulnerability Scanning resources in the compartment SalesApps:

Allow group SecurityAdmins to manage vss-family in compartment SalesApps

Grant Permissions to Pull Images From the Container Registry

Grant the Vulnerability Scanning service permission to pull images from Container Registry.

To grant this permission for all images in the entire tenancy:

allow service vulnerability-scanning-service to read repos in tenancy
allow service vulnerability-scanning-service to read compartments in tenancy

To grant this permission for all images in a specific compartment:

allow service vulnerability-scanning-service to read repos in compartment <compartment-name>
allow service vulnerability-scanning-service to read compartments in compartment <compartment_name>

For more information and examples, see: