Join our Discord Server
Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Distinguished Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 700+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 9800+ members and discord server close to 2600+ members. You can follow him on Twitter(@ajeetsraina).

How to Integrate Docker Scout with JFrog Artifactory

2 min read

JFrog Artifactory is a universal artifact repository manager that can be used to store, manage, and deploy artifacts of all types, including Docker images. It is a popular choice for organizations that use Docker because it offers a number of features that make it well-suited for managing Docker images, such as:

  • Support for multiple Docker registries
  • Image scanning and vulnerability analysis
  • Role-based access control (RBAC)
  • Audit logging
  • High availability and scalability

How it works?

The integration of Docker Scout with JFrog Artifactory works by deploying a Docker Scout Artifactory agent to your Artifactory server. The agent continuously polls Artifactory for new images, and when it finds a new image, it performs the following steps:

  • Pull the image from Artifactory
  • Analyze the image
  • Upload the analysis result to Docker Scout

The agent records the Software Bill of Materials (SBOM) for the image, and the SBOMs for all of its base images. The recorded SBOMs include both Operating System (OS)-level and application-level programs or dependencies that the image contains.

Additionally, the agent sends the following metadata about the image to Docker Scout:

  • The source repository URL and commit SHA for the image
  • Build instructions
  • Build date
  • Tags and digest
  • Target platforms
  • Layer sizes

The agent never transacts the image itself, nor any data inside the image, such as code, binaries, and layer blobs. The agent doesn’t detect and analyze pre-existing images. It only analyzes images that appear in the registry while the agent is running.

Getting Started

Integrating Docker Scout with JFrog Artifactory lets you run image analysis automatically on images in Artifactory registries.

  1. Login to Docker Scout 

Login to https://scout.docker.com and click on “Integration” on the top right corner.

  1. Select “Artifactory Container Registry”

You will see various integration options that appear on the screen. Go to “Container Registries” and click “Read docs on how to integrate” to learn more about the docs.

Assuming that you have already set up your JFrog cloud DevOps Platform environment, login into the platform and select a package type as “Docker”.

  1. Choose “Docker Client”.
  1. Setting up Docker Client
docker login -u<username>@gmail.com <yourteam>.jfrog.io

Password:

Login Succeeded

  1. Pull your First Docker Image
docker pull <yourteam>.jfrog.io/docker/hello-world:latest

dcba6daec718: Download complete

efebf0f7aee6: Download complete

b038788ddb22: Download complete

70f5ac315c5a: Download complete

<yourteam>.jfrog.io/docker/hello-world:latest
What's Next?

  View a summary of image vulnerabilities and recommendations → docker scout quickview <yourteam>.jfrog.io/docker/hello-world:latest

By now, you should be able to see new images appearing under Docker Desktop Dashboard > Images > Artifactory.

Scout Demo Service

This repository contains an application and Dockerfile to demonstrate the use of Docker Scout to analyze and remediate CVEs in a container image.

  1. Clone the repository
git clone https://github.com/docker/scout-demo-service

cd scout-demo-service

  1. Building the Docker Image
docker build -t <yourteam>.jfrog.io/docker/scout-demo:v1 .

Results:

....

....

View build details: docker-desktop://dashboard/build/desktop-linux/desktop-linux/juqy4rkp5qcd3n8sgaoddq1he

What's Next?

  View a summary of image vulnerabilities and recommendations → docker scout quickview

  1. Push to the jFrog Artifactory
docker push <yourteam>.jfrog.io/docker/scout-demo:v1
  1. View the Images on Docker Desktop

For example, in my case, the jFrog Artifactory dashboard showed up the following images that are pulled and pushed to the remote JFrog Artifactory.

Conclusion

Integrating Docker Scout with JFrog Artifactory strengthens your image security posture by enabling automated vulnerability scanning directly within your Artifactory registry. This integration provides valuable insights into image composition, potential vulnerabilities, and license compliance, all without compromising image data or disrupting your existing workflows. By leveraging the combined capabilities of Docker Scout and JFrog Artifactory, you can streamline image security throughout your development lifecycle.

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Distinguished Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 700+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 9800+ members and discord server close to 2600+ members. You can follow him on Twitter(@ajeetsraina).
Join our Discord Server
Index