> ## Documentation Index
> Fetch the complete documentation index at: https://docs.backline.ai/llms.txt
> Use this file to discover all available pages before exploring further.

# Chainguard Registry Integration

> Access container images stored in your Chainguard registry

## Overview

The Chainguard integration allows Backline to scan container images stored in your Chainguard registry (`cgr.dev`) for security vulnerabilities. Chainguard images are minimal, hardened container images with a strong security posture — connecting them to Backline ensures any remaining vulnerabilities are tracked and remediated.

## What You Can Do

With the Chainguard integration, Backline can:

* Scan container images for vulnerabilities
* Analyze image layers and dependencies
* Detect outdated base images
* Track vulnerabilities across image versions
* Monitor container security compliance

## Prerequisites

Before connecting Chainguard, ensure you have:

* A Chainguard account with access to your organization
* `chainctl` installed ([installation guide](https://edu.chainguard.dev/chainguard/administration/how-to-install-chainctl/))
* A Chainguard pull token (see below)

## Creating a Pull Token

Chainguard pull tokens are long-lived credentials used to authenticate non-interactive environments (such as Backline) against `cgr.dev`.

<Steps>
  <Step title="Install chainctl">
    Install the Chainguard CLI if you haven't already:

    ```bash theme={null}
    curl -o chainctl "https://dl.enforce.dev/chainctl/latest/chainctl_$(uname -s | tr '[:upper:]' '[:lower:]')_$(uname -m | sed 's/aarch64/arm64/')"
    sudo install -o $UID -g $(id -g) -m 0755 chainctl /usr/local/bin/
    ```
  </Step>

  <Step title="Log in to Chainguard">
    ```bash theme={null}
    chainctl auth login
    ```
  </Step>

  <Step title="Generate a pull token">
    ```bash theme={null}
    chainctl auth configure-docker --pull-token
    ```

    This command outputs the pull token credentials:

    ```
    Username: <pull-token-id>
    Password: <pull-token-password>
    ```

    Copy both values — you will need them when connecting the integration.
  </Step>
</Steps>

<Tip>
  Pull tokens expire after 30 days by default. Use the `--ttl` flag to extend the expiry (maximum 365 days). Example: `chainctl auth configure-docker --pull-token --ttl=8760h`
</Tip>

For more details on pull tokens, refer to the [Chainguard documentation](https://edu.chainguard.dev/chainguard/chainguard-images/chainguard-registry/authenticating/#authenticating-with-a-pull-token).

## Connecting Chainguard

<Steps>
  <Step title="Go to Integration Hub">
    Navigate to Integrations from the main menu.
  </Step>

  <Step title="Select Chainguard">
    Find and click on the Chainguard integration card.
  </Step>

  <Step title="Enter Pull Token Credentials">
    Enter the **Username** (pull token ID) and **Password** (pull token password) from the `chainctl auth configure-docker --pull-token` command output.
  </Step>

  <Step title="Test Connection">
    Click **Test Connection** to verify the credentials are valid against `cgr.dev`.
  </Step>

  <Step title="Save">
    Click **Save** to complete the integration.
  </Step>
</Steps>

## After Connection

Once Chainguard is connected, Backline will:

1. Begin scanning container images

2. Identify vulnerabilities in image layers

3. Generate remediation recommendations

## Managing the Integration

### Rotating Pull Tokens

Pull tokens expire and must be rotated periodically. To update credentials:

1. Generate a new pull token with `chainctl auth configure-docker --pull-token`
2. Open the Integration Hub and click on the Chainguard integration
3. Update the **Username** and **Password** fields with the new token
4. Test and save changes