Connect Sonatype Nexus registry - Administrator Guide - Cortex XDR - Cortex

Connect Sonatype Nexus registry - Administrator Guide - Cortex XDR - Cortex - Security Operations

Cortex XDR 5.x Documentation

Product

Cortex XDR

License

XDR + Cloud

Creation date

2025-07-13

Last date published

2026-06-11

Category

Administrator Guide

Configure Cortex XDR to scan your Nexus Registry. This allows Cortex to list all container registries or images, and secure them from vulnerabilities, malware, and secrets.

How to connect Nexus registry

Follow the wizard to use the Sonatype Nexus registry connector in Cortex XDR.

Navigate to Settings → Data Sources & Integrations.
On the Add Data Sources or Integrations page, click + Add New, search for Sonatype, then hover over it and click Add.
The Instance Name is automatically populated. You can change it to a more meaningful name.
Choose the Scan Mode, and then follow the steps for that mode to configure the connection.
Cloud Scan
Security scanning is done in the Cortex cloud environment when you select this mode.
Select the appropriate Cloud Provider and Region for the Cortex environment to use for registry scanning.
As a best practice, choose the region closest to your registry deployment to achieve the best scanning throughput and potentially reduce cloud costs
(Optional) Enable Allow access by IP’s to specify a static IP address for the scanner to use. Make sure the static IP is allowed through your firewall so the scanner can access the registry during the scanning process.
Enter the Registry URL.
Enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server in the following format:
https://<hostname>:<connector_port> ,
<hostname>— unique name assigned when the Nexus registry was created
<connector_port>— https connector for the specific Nexus repository.
For example:
https://ec2-100-25-223-135.compute-1.amazonaws.com:8083
https://35.209.190.220:8084
Note
If you are using a CA certificate, enter the server IP address instead of the registry url.
Under Authentication Method, enter the Username and Password of the registry that you want to connect.
(Optional) Expand Show advanced settings and then enter a custom CA certificate in PEM format for Cortex to validate the Nexus registry.
Select Next.
Scan with Outpost
Security scanning is done on infrastructure deployed to a cloud account that you own. This mode requires additional cloud provider permissions and may incur extra costs.
Prerequisite:
Ensure an Outpost is connected to your tenant. Outposts
Choose a Cloud Provider to initialize registry scanning.
Note
If you choose Azure as the Cloud Provider, you must also select the Tenant Id. The Tenant Id is required to approve Cortex as an enterprise application in your Azure tenant.
Choose Outpost account to use for this instance. If no Outposts are shown, you can Create a new one. For more details, see Outposts.
Note
If you choose Azure as the cloud provider, only Outposts associated with the selected tenant ID are displayed.
Select the Region where the registry is hosted.
(Optional) Enable Allow access by IP’s if you want to specify a static IP address for the scanner to use. Make sure the static IP is allowed through your firewall so that the scanner can access the registry during the scanning process.
Enter the Registry URL.
Enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server in the following format:
<https://<hostname>:<connector_port>.
<hostname>— unique name assigned when the registry was created.
<connector_port>— https connector for the specific Nexus repository.
For example:
https://ec2-100-25-223-135.compute-1.amazonaws.com:8083
https://35.209.190.220:8084
Note
If you are using a CA certificate, enter the server IP address instead of the registry URL.
Under Authentication Method, enter the Username and Password of the registry that you want to connect.
(Optional) Expand Show advanced settings and then enter a custom CA certificate in PEM format for Cortex to validate the Nexus registry.
Select Next.
Scan with Broker VM
Security scanning in private networks is done using broker VM infrastructure when you select this mode.
Prerequisite:
Ensure one of the following is configured:
Set up and configure Broker VM.
Configure High Availability Cluster.
Choose a Scan with Broker VM mode to initiate registry scanning. You can select either a standalone Broker VM or a High Availability (HA) Cluster.
Select Applicable Broker VMs.
Choose the appropriate Broker VM or Cluster from the list configured in your tenant.
Note
The list of Broker VMs displays only VMs that support registry scanning.
The list of high-availability Clusters displays only clusters that contain at least one VM supporting registry scanning.
The registry scanning status for each VM appears in brackets if it was previously activated for that specific VM.
If the list does not display any Broker VMs or clusters, Add New Broker VM or Add New Cluster. For more details, see Set up and configure Broker VM.
Enter the Registry URL.
Enter the hostname, or Fully Qualified Domain Name (FQDN), and the connector port for the Nexus registry’s login server in the following format:
<https://<hostname>:<connector_port>
<hostname>— unique name assigned when the registry was created.
<connector_port>— https connector for the specific Nexus repository.
For example:
https://ec2-100-25-223-135.compute-1.amazonaws.com
https://35.209.190.220:8084
Note
If you are using a CA certificate, enter the server IP address instead of the registry URL.
Under Authentication Method, enter the Username and Password of the registry that you want to connect.
(Optional) Expand Show advanced settings and then enter a custom CA certificate in PEM format for Cortex to validate the Nexus registry.
Select Next.
In the Initial Scan Configuration, set your scanning process to focus on recently added or modified container images and exclude older ones that do not align with your current scanning objectives. This setting helps avoid unnecessary scans. Choose one of the following options:
- All: Scans all container images, including all versions (tags), in all discovered repositories.
- Latest Tag: Scans only images tagged 'latest' in all discovered repositories.
- Days Modified: Scans container images that have been created in the last few days. You can select a range of up to 90 days for the scan.
Select Save.
When the Sonatype data source is saved successfully, a new data connector is created, and the initial discovery scan begins. The connection process may take up to 15 minutes.

To check the connector status and scan results, follow these steps:

Go to Settings → Data Sources & Integrations.
Find the Sonatype instance from the list of 3rd Party Data Sources connectors, or use Search.
In the Sonatype instance row, select View Details. The Sonatype Instances page appears.
On the Sonatype Instances page, you can filter results by any heading and value.

Select an instance name to open the details pane. The details pane contains the following granular information:

Instance Details	Description
Status	Shows the status of the connector: Connected, Error, Warning, Disabled, or Pending.
Applet Status on Broker VM	Shows the status of the Registry Scanner applet on the Broker VM page. This status is visible only when the Scan with Broker VM mode is selected.
Repositories	Shows the number of scanned repositories in the registry.
Scan Mode	Shows the selected scan mode for the data connector, such as Cloud Scan, Scan with Outpost, or Scan with Broker VM.
Security Capabilities	Shows a breakdown of the security capabilities enabled on the instance and their individual statuses. For example, select Registry Scanning when it shows a warning or error status to see the open errors and issues that contributed to the status.

Next Steps.
- After the scan is complete, you can view the list of scanned images on the Container Images Inventory page. For more details, see Container Images assets.Container Images
- If you have selected the Scan with Broker VM option, then a Registry Scanner applet is created on the selected Broker VM or Cluster. For details, see Verify Registry Scanner connection.

Note

Prerequisite:

Note

Note

Note

Prerequisite:

Note

Note