Docker discoveries

Docker discoveries allow you to list a set of Docker images from a registry or an existing deployment. The discovered Docker images can then be added to Cyberwatch in bulk in order to be scanned.

JFrog Artifactory

Prerequisites

JFrog Artifactory discoveries require:

  • A JFrog service account (dedicated, non-administrator user)
  • A Read permission granted to this account on the Docker repositories to be discovered
  • An access token generated for this account

JFrog Artifactory exposes its Docker repositories as registries. The JFrog Artifactory discovery queries the JFrog API to list the accessible Docker images, which can then be scanned by Cyberwatch. Read access to the relevant Docker repositories is sufficient: it is therefore recommended to dedicate a service account with minimal privileges to Cyberwatch.

Create a service account and token in JFrog

You can create this service account as follows:

  1. Create the user: from Administration > User Management > Users, create a non-administrator service user (for example, cyberwatch).
  2. Grant read rights: from Administration > User Management > Permissions, create a permission granting only the Read action on the Docker repositories to be discovered, and associate this account (or a group containing it).
  3. Generate the access token: from Administration > User Management > Access Tokens, create a Scoped Token for this account by setting Token scope to User, so that the token inherits only the permissions of the account. Keep the username and the generated token: they will be needed in the next step.

Register the credential in Cyberwatch

From the Registered credentials menu, you can add a JFrog Artifactory credential by entering the URL of your JFrog platform, the username of the service account, and the previously generated access token.

Create the discovery

You can then create the discovery from the discoveries menu, by clicking the Add button then JFrog Artifactory in the Docker images section, and selecting your set of credentials. If access is correctly configured, the discovery will list all found Docker images.

Add the discovered Docker images

From the list of discovered assets, you will be able to view and filter images that do not have associated assets. To add them to Cyberwatch, you can select those you wish to scan and click on Bulk actions > Scan as Docker images.

The addition of newly discovered Docker images to Cyberwatch can be automated by enabling automatic registration from the discovery edit form.

The registry is automatically chosen based on the name of the discovered image. For example, an image example.com/library/hello will automatically use the Docker registry example.com, provided it has been added as a registered credential. If the registry is new, a registered credential will be automatically created and can be manually edited later if authentication is required. It is sometimes possible to specify a preferred registry, but it will only be used for discovered images whose registry in the name matches the registry entry point.


Back to top

English Français Español