diff --git a/content/manuals/scout/explore/dashboard.md b/content/manuals/scout/explore/dashboard.md index af6d75e4e658..2e1c666e3b67 100644 --- a/content/manuals/scout/explore/dashboard.md +++ b/content/manuals/scout/explore/dashboard.md @@ -11,10 +11,10 @@ aliases: The [Docker Scout Dashboard](https://scout.docker.com/) helps you share the analysis of images in an organization with your team. Developers can now see an -overview of their security status across all their images from both Docker Hub -and Artifactory, and get remediation advice at their fingertips. It helps team -members in roles such as security, compliance, and operations to know what -vulnerabilities and issues they need to focus on. +overview of their security status across all their images from Docker Hub, and +get remediation advice at their fingertips. It helps team members in roles such +as security, compliance, and operations to know what vulnerabilities and issues +they need to focus on. ## Overview diff --git a/content/manuals/scout/images/release-notes/artifactory-agent.gif b/content/manuals/scout/images/release-notes/artifactory-agent.gif deleted file mode 100644 index eaa7b6c3f9e9..000000000000 Binary files a/content/manuals/scout/images/release-notes/artifactory-agent.gif and /dev/null differ diff --git a/content/manuals/scout/integrations/_index.md b/content/manuals/scout/integrations/_index.md index ce945300e096..7916377c8578 100644 --- a/content/manuals/scout/integrations/_index.md +++ b/content/manuals/scout/integrations/_index.md @@ -25,7 +25,6 @@ aren't hosted on Docker Hub. The following container registry integrations are available: -- [Artifactory](./registry/artifactory.md) - [Amazon Elastic Container Registry](./registry/ecr.md) - [Azure Container Registry](./registry/acr.md) diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md deleted file mode 100644 index cc0d1774e5f4..000000000000 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ /dev/null @@ -1,191 +0,0 @@ ---- -description: Integrate JFrog Artifactory and JFrog Container Registry with Docker Scout -keywords: docker scout, jfrog, artifactory, jcr, integration, image analysis, security, cves -title: Integrate Docker Scout with Artifactory -linkTitle: Artifactory -aliases: - - /scout/artifactory/ ---- - -Integrating Docker Scout with JFrog Artifactory lets you run image analysis -automatically on images in Artifactory registries. - -## Local image analysis - -You can analyze Artifactory images for vulnerabilities locally using Docker Desktop or the Docker CLI. You first need to authenticate with JFrog Artifactory using the [`docker login`](/reference/cli/docker/login/) command. For example: - -```bash -docker login {URL} -``` - -> [!TIP] -> -> For cloud-hosted Artifactory you can find the credentials for your Artifactory repository by -> selecting it in the Artifactory UI and then the **Set Me Up** button. - -## Remote image analysis - -To automatically analyze images running in remote environments you need to deploy the Docker Scout Artifactory agent. The agent is a -standalone service that analyzes images and uploads the result to Docker Scout. -You can view the results using the -[Docker Scout Dashboard](https://scout.docker.com/). - -### How the agent works - -The Docker Scout Artifactory agent is available as an -[image on Docker Hub](https://hub.docker.com/r/docker/artifactory-agent). The agent works by continuously polling -Artifactory for new images. When it finds a new image, it performs the following -steps: - -1. Pull the image from Artifactory -2. Analyze the image -3. Upload the analysis result to Docker Scout - -The agent records the Software Bill of Materials (SBOM) for the image, and the -SBOMs for all of its base images. The recorded SBOMs include both Operating -System (OS)-level and application-level programs or dependencies that the image -contains. - -Additionally, the agent sends the following metadata about the image to Docker Scout: - -- The source repository URL and commit SHA for the image -- Build instructions -- Build date -- Tags and digest -- Target platforms -- Layer sizes - -The agent never transacts the image -itself, nor any data inside the image, such as code, binaries, and layer blobs. - -The agent doesn't detect and analyze pre-existing images. It only analyzes -images that appear in the registry while the agent is running. - -### Deploy the agent - -This section describes the steps for deploying the Artifactory agent. - -#### Prerequisites - -Before you deploy the agent, ensure that you meet the prerequisites: - -- The server where you host the agent can access the following resources over - the network: - - Your JFrog Artifactory instance - - `hub.docker.com`, port 443, for authenticating with Docker - - `api.dso.docker.com`, port 443, for transacting data to Docker Scout -- The registries are Docker V2 registries. V1 registries aren't supported. - -The agent supports all versions of JFrog Artifactory and JFrog Container -Registry. - -#### Create the configuration file - -You configure the agent using a JSON file. The agent expects the configuration -file to be in `/opt/artifactory-agent/data/config.json` on startup. - -The configuration file includes the following properties: - -| Property | Description | -| --------------------------- | ------------------------------------------------------------------------------- | -| `agent_id` | Unique identifier for the agent. | -| `docker.organization_name` | Name of the Docker organization. | -| `docker.username` | Username of the admin user in the Docker organization. | -| `docker.pat` | Personal access token of the admin user with read and write permissions. | -| `artifactory.base_url` | Base URL of the Artifactory instance. | -| `artifactory.username` | Username of the Artifactory user with read permissions that the agent will use. | -| `artifactory.password` | Password or API token for the Artifactory user. | -| `artifactory.image_filters` | Optional: List of repositories and images to analyze. | - -If you don't specify any repositories in `artifactory.image_filters`, the agent -runs image analysis on all images in your Artifactory instance. - -The following snippet shows a sample configuration: - -```json -{ - "agent_id": "acme-prod-agent", - "docker": { - "organization_name": "acme", - "username": "mobythewhale", - "pat": "dckr_pat__dsaCAs_xL3kNyupAa7dwO1alwg" - }, - "artifactory": [ - { - "base_url": "https://acme.jfrog.io", - "username": "acmeagent", - "password": "hayKMvFKkFp42RAwKz2K", - "image_filters": [ - { - "repository": "dev-local", - "images": ["internal/repo1", "internal/repo2"] - }, - { - "repository": "prod-local", - "images": ["staging/repo1", "prod/repo1"] - } - ] - } - ] -} -``` - -Create a configuration file and save it somewhere on the server where you plan -to run the agent. For example, `/var/opt/artifactory-agent/config.json`. - -#### Run the agent - -The following example shows how to run the Docker Scout Artifactory agent using -`docker run`. This command creates a bind mount for the directory containing the -JSON configuration file created earlier at `/opt/artifactory-agent/data` inside -the container. Make sure the mount path you use is the directory containing the -`config.json` file. - - -> [!IMPORTANT] -> -> Use the `v1` tag of the Artifactory agent image. Don't use the `latest` tag as -> doing so may incur breaking changes. - -```console -$ docker run \ - --mount type=bind,src=/var/opt/artifactory-agent,target=/opt/artifactory-agent/data \ - docker/artifactory-agent:v1 -``` - -#### Analyzing pre-existing data - -By default the agent detects and analyzes images as they're created and -updated. If you want to use the agent to analyze pre-existing images, you -can use backfill mode. Use the `--backfill-from=TIME` command line option, -where `TIME` is an ISO 8601 formatted time, to run the agent in backfill mode. -If you use this option, the agent analyzes all images pushed between that -time and the current time when the agent starts, then exits. - -For example: - -```console -$ docker run \ - --mount type=bind,src=/var/opt/artifactory-agent,target=/opt/artifactory-agent/data \ - docker/artifactory-agent:v1 --backfill-from=2022-04-10T10:00:00Z -``` - -When running a backfill multiple times, the agent won't analyze images that -it's already analyzed. To force re-analysis, provide the `--force` command -line flag. - -### View analysis results - -You can view the image analysis results in the Docker Scout Dashboard. - -1. Go to [Images page](https://scout.docker.com/reports/images/) in the Docker Scout Dashboard. - - This page displays the Docker Scout-enabled repositories in your organization. - -2. Select the image in the list. -3. Select the tag. - -When you have selected a tag, you're taken to the vulnerability report for that -tag. Here, you can select if you want to view all vulnerabilities in the image, -or vulnerabilities introduced in a specific layer. You can also filter -vulnerabilities by severity, and whether or not there's a fix version available. diff --git a/content/manuals/scout/release-notes/platform.md b/content/manuals/scout/release-notes/platform.md index 67fe74e87824..c794f98ce80c 100644 --- a/content/manuals/scout/release-notes/platform.md +++ b/content/manuals/scout/release-notes/platform.md @@ -297,12 +297,9 @@ documentation](../integrations/environment/sysdig.md). The new JFrog Artifactory integration enables automatic image analysis on Artifactory registries. -![Animation of how to integrate Artifactory](../images/release-notes/artifactory-agent.gif) - The integration involves deploying a Docker Scout Artifactory agent that polls for new images, performs analysis, and uploads results to Docker Scout, all -while preserving the integrity of image data. Learn more in the [Artifactory -integration documentation](../integrations/registry/artifactory.md) +while preserving the integrity of image data. #### Known limitations