Integrate Docker Scout with Artifactory Container Registry
試験的
The docker scout watch
command is experimental.
Experimental features are intended for testing and feedback as their functionality or design may change between releases without warning or can be removed entirely in a future release.
Integrating Docker Scout with JFrog Artifactory lets you index and analyze
images from Artifactory. This integration is powered by a long-running
docker scout watch
process. It pulls images from your selected repositories
(optionally filtered), can receive webhook callbacks from Artifactory, and
pushes image data to Docker Scout. View results in the Docker Scout Dashboard or
with docker scout
CLI.
How it works
You run
docker scout watch
on a host you
control and configure the Artifactory-specific registry string via --registry "key=value,..."
. The watch process can:
- Watch specific repositories or an entire registry
- Optionally ingest all existing images once
- Periodically refresh repository lists
- Receive webhook callbacks from Artifactory on a local port you choose
After the integration, Docker Scout automatically pulls and analyzes images that you push to the Artifactory registry. Metadata about your images are stored on the Docker Scout platform, but Docker Scout doesn't store the container images themselves. For more information about how Docker Scout handles image data, see Data handling.
Artifactory-specific registry string options
These type=artifactory
options override the generic registry handling for the --registry
option:
Key | Required | Description |
---|---|---|
type | Yes | Must be artifactory . |
registry | Yes | Docker/OCI registry hostname (e.g., example.jfrog.io ). |
api | Yes | Artifactory REST API base URL (e.g., https://example.jfrog.io/artifactory ). |
repository | Yes | Repository to watch (replaces --repository ). |
includes | No | Globs to include (e.g., */frontend* ). |
excludes | No | Globs to exclude (e.g., */legacy/* ). |
port | No | Local port to listen on for webhook callbacks. |
subdomain-mode | No | true or false ; matches Artifactory’s Docker layout (subdomain versus repository-path). |
Integrate an Artifactory registry
Use the following steps to integrate your Artifactory registry with Docker Scout.
Pick the host on which to run
docker scout watch
.The host must have local or network access to your private registry and be able to access the Scout API (
https://api.scout.docker.com
) over the internet. If you're using webhook callbacks, Artifactory must also be able to reach the Scout client host on the configured port. Override the--workers
option (default:3
) for optimal performance based on the size of the host and the expected workload.Ensure you are running the latest version of Scout.
Check your current version:
$ docker scout version
If necessary, install the latest version of Scout.
Set up your Artifactory credentials.
Store the credentials that the Scout client will use to authenticate with Artifactory. The following is an example using environment variables. Replace
<user>
and<password-or-access-token>
with your actual values.$ export DOCKER_SCOUT_ARTIFACTORY_API_USER=<user> $ export DOCKER_SCOUT_ARTIFACTORY_API_PASSWORD=<password-or-access-token>
情報As a best practice, create a dedicated user with read-only access and use an access token instead of a password.
Store the credential that Artifactory will use to authenticate webhook callbacks. The following is an example using an environment variable. Replace
<random-64-128-character-secret>
with an actual secret.$ export DOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET=<random-64-128-character-secret>
情報As a best practice, generate a high-entropy random string of 64-128 characters.
Set up your Scout credentials.
Generate an organization access token for accessing Scout. For more details, see Create an organization access token.
Sign in to Docker using the organization access token.
$ docker login --username <your_organization_name>
When prompted for a password, paste the organization access token you generated.
Connect your local Docker environment to your organization's Docker Scout service.
$ docker scout enroll <your_organization_name>
Index existing images. You only need to do this once.
Run
docker scout watch
with the--all-images
option to index all images in the specified Artifactory repository. The following is an example command:$ docker scout watch --registry \ "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" \ --all-images
Confirm the images have been indexed by viewing them on the Scout Dashboard.
Configure Artifactory callbacks.
In your Artifactory UI or via REST API, configure webhooks for image push/update events. Set the endpoint to your
docker scout watch
host and port, and include theDOCKER_SCOUT_ARTIFACTORY_WEBHOOK_SECRET
for authentication.For more information, see the JFrog Artifactory Webhooks documentation or the JFrog Artifactory REST API Webhooks documentation.
Continuously watch for new or updated images.
Run
docker scout watch
with the--refresh-registry
option to watch for new images to index. The following is an example command:$ docker scout watch --registry \ "type=artifactory,registry=example.jfrog.io,api=https://example.jfrog.io/artifactory,include=*/frontend*,exclude=*/dta/*,repository=docker-local,port=9000,subdomain-mode=true" \ --refresh-registry
Optional. Set up Scout integration for real-time notifications from popular collaboration platforms. For details, see Integrate Docker Scout with Slack.