1 files changed, 47 insertions, 4 deletions

diff --git a/doc/user/application_security/container_scanning/index.md b/doc/user/application_security/container_scanning/index.md
index 2b3d4dbfc0a..22b54bf019c 100644
--- a/doc/user/application_security/container_scanning/index.md
+++ b/doc/user/application_security/container_scanning/index.md
@@ -42,10 +42,20 @@ To enable container scanning in your pipeline, you need the following:
   shared runners on GitLab.com, then this is already the case.
 - An image matching the [supported distributions](#supported-distributions).
 - [Build and push](../../packages/container_registry/index.md#build-and-push-by-using-gitlab-cicd)
-  the Docker image to your project's container registry. If using a third-party container
-  registry, you might need to provide authentication credentials using the `DOCKER_USER` and
-  `DOCKER_PASSWORD` [configuration variables](#available-cicd-variables).
+  the Docker image to your project's container registry.
 - The name of the Docker image to scan, in the `DOCKER_IMAGE` [configuration variable](#available-cicd-variables).
+- If you're using a third-party container registry, you might need to provide authentication
+  credentials through the `DOCKER_USER` and `DOCKER_PASSWORD` [configuration variables](#available-cicd-variables).
+  For example, if you are connecting to AWS ECR, you might use the following:
+
+```yaml
+export AWS_ECR_PASSWORD=$(aws ecr get-login-password --region region)
+
+include:
+  - template: Security/Container-Scanning.gitlab-ci.yml
+    DOCKER_USER: AWS
+    DOCKER_PASSWORD: "$AWS_ECR_PASSWORD"
+```
 
 ## Configuration
 
@@ -397,7 +407,7 @@ For details on saving and transporting Docker images as a file, see Docker's doc
 We recommend that you set up a [scheduled pipeline](../../../ci/pipelines/schedules.md)
 to fetch the latest vulnerabilities database on a preset schedule.
 Automating this with a pipeline means you do not have to do it manually each time. You can use the
-following `.gitlab-yml.ci` example as a template.
+following `.gitlab-ci.yml` example as a template.
 
 ```yaml
 variables:
@@ -420,6 +430,39 @@ The above template works for a GitLab Docker registry running on a local install
 you're using a non-GitLab Docker registry, you must change the `$CI_REGISTRY` value and the
 `docker login` credentials to match your local registry's details.
 
+#### Scan images in external private registries
+
+To scan an image in an external private registry, you must configure access credentials so the
+container scanning analyzer can authenticate itself before attempting to access the image to scan.
+
+If you use the GitLab [Container Registry](../../packages/container_registry/),
+the `DOCKER_USER` and `DOCKER_PASSWORD` [configuration variables](#available-cicd-variables)
+are set automatically and you can skip this configuration.
+
+This example shows the configuration needed to scan images in a private [Google Container Registry](https://cloud.google.com/container-registry/):
+
+```yaml
+include:
+  - template: Security/Container-Scanning.gitlab-ci.yml
+
+container_scanning:
+  variables:
+    DOCKER_USER: _json_key
+    DOCKER_PASSWORD: "$GCP_CREDENTIALS"
+    DOCKER_IMAGE: "gcr.io/path-to-you-registry/image:tag"
+```
+
+Before you commit this configuration, [add a CI/CD variable](../../../ci/variables/#add-a-cicd-variable-to-a-project)
+for `GCP_CREDENTIALS` containing the JSON key, as described in the
+[Google Cloud Platform Container Registry documentation](https://cloud.google.com/container-registry/docs/advanced-authentication#json-key).
+Also:
+
+- The value of the variable may not fit the masking requirements for the **Mask variable** option,
+  so the value could be exposed in the job logs.
+- Scans may not run in unprotected feature branches if you select the **Protect variable** option.
+- Consider creating credentials with read-only permissions and rotating them regularly if the
+  options aren't selected.
+
 ## Running the standalone container scanning tool
 
 It's possible to run the [GitLab container scanning tool](https://gitlab.com/gitlab-org/security-products/analyzers/container-scanning)