From 364e4c2876368a228040e6fdf0107a996f470d47 Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 28 Aug 2025 14:11:00 -0700 Subject: [PATCH 1/7] scout: add artifactory integration via watch Signed-off-by: Craig --- content/manuals/scout/integrations/_index.md | 3 +- .../integrations/registry/artifactory.md | 155 ++++++++++++++++++ 2 files changed, 156 insertions(+), 2 deletions(-) create mode 100644 content/manuals/scout/integrations/registry/artifactory.md diff --git a/content/manuals/scout/integrations/_index.md b/content/manuals/scout/integrations/_index.md index c2f5b67c1f7e..312c9c2bcc4a 100644 --- a/content/manuals/scout/integrations/_index.md +++ b/content/manuals/scout/integrations/_index.md @@ -4,8 +4,6 @@ keywords: supply chain, security, integrations, registries, ci, environments title: Integrating Docker Scout with other systems linkTitle: Integrations weight: 80 -aliases: - - /scout/integrations/registry/artifactory --- By default, Docker Scout integrates with your Docker organization and your @@ -29,6 +27,7 @@ The following container registry integrations are available: - [Amazon Elastic Container Registry](./registry/ecr.md) - [Azure Container Registry](./registry/acr.md) +- [JFrog Artifactory](./registry/artifactory.md) ### Continuous Integration diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md new file mode 100644 index 000000000000..55bac1c4a471 --- /dev/null +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -0,0 +1,155 @@ +--- +description: Integrate Artifactory Container Registry with Docker Scout +keywords: docker scout, artifactory, integration, image analysis, security, cves +title: Integrate Docker Scout with Artifactory Container Registry +linkTitle: Artifactory Container Registry +--- + +Integrating Docker Scout with JFrog Artifactory lets you index and analyze +images from Artifactory Docker. This integration is powered by a long-running +`docker scout watch` process. It pulls images from your selected repositories +(optionally filtered), can receive webhook callbacks from Artifactory, and +pushes image data to Docker Scout. View results in the Docker Scout Dashboard or +with `docker scout` CLI. + +## How it works + +You run [`docker scout watch`](/reference/cli/docker/scout/watch/) on a host you +control and configure the Artifactory-specific registry string via `--registry +"key=value,..."`. The watch process can: + +- Watch specific repositories or an entire registry +- Optionally ingest all existing images once +- Periodically refresh repository lists +- Receive webhook callbacks from Artifactory on a local port you choose + +Unlike the ACR and ECR integration flows, this setup does not create any cloud +resources for you. You supply Artifactory credentials, start watch, and +optionally configure Artifactory webhooks. + +### Artifactory-specific registry string options + +These `type=artifactory` options override the generic registry handling for the `--registry` option: + +| Key | Required | Description | +|------------------|:--------:|-------------| +| `type` | Yes | Must be `artifactory`. | +| `registry` | Yes | Docker/OCI registry hostname (e.g., `example.jfrog.io`). | +| `api` | Yes | Artifactory REST API base URL (e.g., `https://example.jfrog.io/artifactory`). | +| `repository` | Yes | Repository to watch (replaces `--repository`). | +| `includes` | No | Globs to include (e.g., `*/frontend*`). | +| `excludes` | No | Globs to exclude (e.g., `*/legacy/*`). | +| `port` | No | Local port to listen on for webhook callbacks. | +| `subdomain-mode` | No | `true` or `false`; matches Artifactory’s Docker layout (subdomain vs repo-path). | + +## Integrate an Artifactory registry + +Use the following steps to integrate your Artifactory registry with Docker +Scout. + +1. Pick the host on which to run `docker scout watch`. + + The host must have local or network access to your private registry and be able + to access the Scout API (`https://api.scout.docker.com`) over the internet. If + you're using webhook callbacks, Artifactory must also be able to reach the Scout + client host on the configured port. + Override the `--workers` option (default: `3`) for optimal performance based on + the size of the host and the expected workload. + +2. Ensure you are running the latest version of Scout. + + Check your current version: + + ```console + $ docker scout version + ``` + + If necessary, [install the latest version of Scout](https://docs.docker.com/scout/install/). + +3. Set up your Artifactory credentials. + + Store the credentials that the Scout client will use to authenticate with + Artifactory. The following is an example using environment variables. Replace + `` and `` with your actual values. + + ```console + $ export DOCKER_SCOUT_ARTIFACTORY_API_USER= + $ export DOCKER_SCOUT_ARTIFACTORY_API_PASSWORD= + ``` + + > [!TIP] + > + > As a best practice, create a dedicated user with read-only access and use + > an access token instead of a password. + + Store the credential that Artifactory will use to authenticate webhook + callbacks. The following is an example using an environment variable. Replace + `` with an actual secret. + + ```console + $ export DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET= + ```` + + > [!TIP] + > + > As a best practice, generate a high-entropy random string of 64-128 characters. + +4. Set up your Scout credentials. + + 1. Generate an organization access token for accessing Scout. For more + details, see [Create an organization access + token](/enterprise/security/access-tokens/#create-an-organization-access-token). + 2. Sign in to Docker using the organization access token. + + ```console + $ docker login --username + ``` + + When prompted for a password, paste the organization access token you + generated. + + 3. Connect your local Docker environment to your organization's Docker Scout service. + + ```console + $ docker scout enroll + ``` + +5. Index existing images. You only need to do this once. + + Run `docker scout watch` with the `--all-images` option to index all images in the specified Artifactory repository. The following is an example command: + + ```console + $ docker scout watch --registry \ + "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" \ + --all-images + ``` + +6. Confirm the images have been indexed by viewing them on the [Scout + Dashboard](https://scout.docker.com/). + +7. Configure Artifactory callbacks. + + In your Artifactory UI or via REST API, configure webhooks for image + push/update events. Set the endpoint to your `docker scout watch` host and + port, and include the `DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET` for + authentication. + + For more information, see the [JFrog Artifactory Webhooks + documentation](https://jfrog.com/help/r/jfrog-platform-administration-documentation/webhooks) + or the [JFrog Artifactory REST API Webhooks + documentation](https://jfrog.com/help/r/jfrog-rest-apis/webhooks) + +8. Continuously watch for new or updated images. + + Run `docker scout watch` with the `--refresh-registry` option to watch for + new images to index. The following is an example command: + + ```console + $ docker scout watch --registry \ + "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" \ + --refresh-registry + ``` + +9. Optional. Set up Scout integration for real-time notifications from popular + collaboration platforms. For details, see [Integrate Docker Scout with + Slack](../team-collaboration/slack.md). \ No newline at end of file From 4a4404e84b24f73ee37b773c15f973689cdc8c8c Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 28 Aug 2025 14:20:11 -0700 Subject: [PATCH 2/7] lint fixes Signed-off-by: Craig --- content/manuals/scout/integrations/_index.md | 4 ++-- .../integrations/registry/artifactory.md | 22 +++++++++---------- 2 files changed, 13 insertions(+), 13 deletions(-) diff --git a/content/manuals/scout/integrations/_index.md b/content/manuals/scout/integrations/_index.md index 312c9c2bcc4a..cda490917dea 100644 --- a/content/manuals/scout/integrations/_index.md +++ b/content/manuals/scout/integrations/_index.md @@ -31,8 +31,8 @@ The following container registry integrations are available: ### Continuous Integration -Integrating Docker Scout with Continuous Integration (CI) systems is a great -way to get instant, automatic feedback about your security posture in your inner +Integrating Docker Scout with Continuous Integration (CI) systems is a great way +to get instant, automatic feedback about your security posture in your inner loop. Analysis running in CI also gets the benefit of additional context that's useful for getting even more insights. diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index 55bac1c4a471..56e33dcef699 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -31,23 +31,23 @@ optionally configure Artifactory webhooks. These `type=artifactory` options override the generic registry handling for the `--registry` option: -| Key | Required | Description | -|------------------|:--------:|-------------| -| `type` | Yes | Must be `artifactory`. | -| `registry` | Yes | Docker/OCI registry hostname (e.g., `example.jfrog.io`). | -| `api` | Yes | Artifactory REST API base URL (e.g., `https://example.jfrog.io/artifactory`). | -| `repository` | Yes | Repository to watch (replaces `--repository`). | -| `includes` | No | Globs to include (e.g., `*/frontend*`). | -| `excludes` | No | Globs to exclude (e.g., `*/legacy/*`). | -| `port` | No | Local port to listen on for webhook callbacks. | -| `subdomain-mode` | No | `true` or `false`; matches Artifactory’s Docker layout (subdomain vs repo-path). | +| Key | Required | Description | +|------------------|:--------:|----------------------------------------------------------------------------------------| +| `type` | Yes | Must be `artifactory`. | +| `registry` | Yes | Docker/OCI registry hostname (e.g., `example.jfrog.io`). | +| `api` | Yes | Artifactory REST API base URL (e.g., `https://example.jfrog.io/artifactory`). | +| `repository` | Yes | Repository to watch (replaces `--repository`). | +| `includes` | No | Globs to include (e.g., `*/frontend*`). | +| `excludes` | No | Globs to exclude (e.g., `*/legacy/*`). | +| `port` | No | Local port to listen on for webhook callbacks. | +| `subdomain-mode` | No | `true` or `false`; matches Artifactory’s Docker layout (subdomain versus repository-path). | ## Integrate an Artifactory registry Use the following steps to integrate your Artifactory registry with Docker Scout. -1. Pick the host on which to run `docker scout watch`. +1. Pick the host on which to run `docker scout watch`. The host must have local or network access to your private registry and be able to access the Scout API (`https://api.scout.docker.com`) over the internet. If From 036f13e38d933bdc4f1d120941cd318f8be9c81b Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 28 Aug 2025 14:23:29 -0700 Subject: [PATCH 3/7] fix typo Signed-off-by: Craig --- content/manuals/scout/integrations/registry/artifactory.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index 56e33dcef699..a9159721e1f0 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -6,7 +6,7 @@ linkTitle: Artifactory Container Registry --- Integrating Docker Scout with JFrog Artifactory lets you index and analyze -images from Artifactory Docker. This integration is powered by a long-running +images from Artifactory. This integration is powered by a long-running `docker scout watch` process. It pulls images from your selected repositories (optionally filtered), can receive webhook callbacks from Artifactory, and pushes image data to Docker Scout. View results in the Docker Scout Dashboard or From eb9271b95a9794a7c7d69efea32df42879085454 Mon Sep 17 00:00:00 2001 From: Craig Date: Thu, 28 Aug 2025 16:25:48 -0700 Subject: [PATCH 4/7] fix typo Signed-off-by: Craig --- content/manuals/scout/integrations/registry/artifactory.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index a9159721e1f0..2b1b150503e0 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -137,7 +137,7 @@ Scout. For more information, see the [JFrog Artifactory Webhooks documentation](https://jfrog.com/help/r/jfrog-platform-administration-documentation/webhooks) or the [JFrog Artifactory REST API Webhooks - documentation](https://jfrog.com/help/r/jfrog-rest-apis/webhooks) + documentation](https://jfrog.com/help/r/jfrog-rest-apis/webhooks). 8. Continuously watch for new or updated images. From c9c31fd9942cf9d061d5fd4ef3dc28cd4c3cc26d Mon Sep 17 00:00:00 2001 From: Craig Date: Wed, 3 Sep 2025 12:28:07 -0700 Subject: [PATCH 5/7] feedback and experimental tag Signed-off-by: Craig --- .../scout/integrations/registry/artifactory.md | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index 2b1b150503e0..a25ee2659d52 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -5,6 +5,16 @@ title: Integrate Docker Scout with Artifactory Container Registry linkTitle: Artifactory Container Registry --- +{{% experimental %}} + +The `docker scout watch` command is experimental. + +Experimental features are intended for testing and feedback as their +functionality or design may change between releases without warning or +can be removed entirely in a future release. + +{{% /experimental %}}` + Integrating Docker Scout with JFrog Artifactory lets you index and analyze images from Artifactory. This integration is powered by a long-running `docker scout watch` process. It pulls images from your selected repositories @@ -20,13 +30,19 @@ control and configure the Artifactory-specific registry string via `--registry - Watch specific repositories or an entire registry - Optionally ingest all existing images once -- Periodically refresh repository lists +- Periodically refresh repository lists - Receive webhook callbacks from Artifactory on a local port you choose Unlike the ACR and ECR integration flows, this setup does not create any cloud resources for you. You supply Artifactory credentials, start watch, and optionally configure Artifactory webhooks. +> [!NOTE] +> +> Docker Scout analyzes images locally. The image itself is never pushed to +> Docker. Only the SBOM (Software Bill of Materials) and other metadata are sent +> to Docker Scout. + ### Artifactory-specific registry string options These `type=artifactory` options override the generic registry handling for the `--registry` option: From b801d1befb6406aacb48cfdf4b2bf53334d10408 Mon Sep 17 00:00:00 2001 From: Craig Date: Wed, 3 Sep 2025 12:33:40 -0700 Subject: [PATCH 6/7] polish Signed-off-by: Craig --- .../scout/integrations/registry/artifactory.md | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index a25ee2659d52..8e7315363d4a 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -30,18 +30,14 @@ control and configure the Artifactory-specific registry string via `--registry - Watch specific repositories or an entire registry - Optionally ingest all existing images once -- Periodically refresh repository lists +- Periodically refresh repository lists - Receive webhook callbacks from Artifactory on a local port you choose -Unlike the ACR and ECR integration flows, this setup does not create any cloud -resources for you. You supply Artifactory credentials, start watch, and -optionally configure Artifactory webhooks. - -> [!NOTE] -> -> Docker Scout analyzes images locally. The image itself is never pushed to -> Docker. Only the SBOM (Software Bill of Materials) and other metadata are sent -> to Docker Scout. +After the integration, Docker Scout automatically pulls and analyzes images +that you push to the Artifactory registry. Metadata about your images are stored on the +Docker Scout platform, but Docker Scout doesn't store the container images +themselves. For more information about how Docker Scout handles image data, see +[Data handling](/manuals/scout/deep-dive/data-handling.md). ### Artifactory-specific registry string options From f2385ef39707830bd611513ee1a205233565b6a9 Mon Sep 17 00:00:00 2001 From: Craig Date: Wed, 3 Sep 2025 12:44:19 -0700 Subject: [PATCH 7/7] fix typo Signed-off-by: Craig --- content/manuals/scout/integrations/registry/artifactory.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index 8e7315363d4a..5e385b6a41c7 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -13,7 +13,7 @@ Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release. -{{% /experimental %}}` +{{% /experimental %}} Integrating Docker Scout with JFrog Artifactory lets you index and analyze images from Artifactory. This integration is powered by a long-running