Scan images in JFrog Artifactory Docker Registry

An Artifactory Docker registry is a hosted collection of Docker repositories, that you can access transparently with Docker client. JFrog Artifactory provides both Cloud (SaaS) and Self-hosted (On-prem) versions.
Artifactory lets you configure how images in the repository are accessed with a setting called the Docker Access Method.
Prisma Cloud supports the subdomain method and the repository method. The ports method is not supported.
Artifactory recommends that the subdomain method be used for production environments. The repository model is suitable for small test setups and proof of concepts.
In the subdomain model, the repository is accessed through a reverse proxy. Each Docker repository is individually addressed by a unique value, known as the repository key, positioned in the subdomain of the registry’s URL.
In the repository path model, each repository can be directly addressed. The repository key is part of the path to the image repo.
Create a new registry scan setting to scan images in the Artifactory Docker registry.

Create a new registry scan

  • You have installed a container Defender somewhere in your environment.
  • Minimum Console and Defender version should be greater than 22.12.415.
  • You can connect to the Docker client and pull an image from your Artifactory registry.
  • Set up JFrog credentials with basic authentication in Credentials store and grant Prisma Cloud access to your repository in JFrog Artifactory.
  1. Log in to Console, and select
    Defend > Vulnerabilities > Images > Registry settings
  2. Click
    Add registry
  3. In
    Add New Registry
    , enter the following values:
    1. In
      , select one of:
      JFrog Artifactory
      - Auto-discover and scan all images in all repos across the Artifactory service for versions of Artifactory greater than or equal to 6.2.0.
      Docker Registry v2
      - Scan all images in all repos under a specific repository key for the subdomain method. Repository keys effectively subdivide the Artifactory service into stand-alone fully-compliant Docker v2 registries.
    2. In
      , specify the address to scan.
      If you selected
      JFrog Artifactory
      , enter the FQDN of the reverse proxy for the on-prem or Cloud registry URL for JFrog Cloud.
      If you selected
      Docker Registry v2
      , enter the FQDN, including subdomain, of the sub-registry, for example: https://<REPOSITORY_KEY>
    3. In
      , specify the repository to scan.
      If you leave this field blank or enter a wildcard, Prisma Cloud finds and scans all repositories in the registry.
      If you specify a partial string that ends with a wildcard, Prisma Cloud finds and scans all repositories that start with the partial string.
      If you specify an exact match, Prisma Cloud scans just the specified repository.
    4. Optionally enter the
      Repositories to exclude
      them from being scanned.
    5. In
      Repository types
      , select the repository types that Prisma Cloud should scan.
      This setting is available only when
      is set to
      JFrog Artifactory
      . Specify at least one of the repository types (local, remote, virtual) hosted by JFrog.
      To scan only cached images in a repo, use
      virtual repo
    6. Enter
      numbers to scan, leave blank, or enter a wildcard (*) to scan all the tags.
    7. Optionally, enter
      Tags to exclude
      , to avoid scanning images with specified tags.
    8. In
      , select the JFrog Artifactory credentials you created in the prerequisites section.
    9. You can optionally enter a custom
      CA certificate
      in PEM format for Prisma Cloud to validate the registry only for JFrog On-prem. A custom CA certificate is not applicable for JFrog Cloud, as the certificates are managed by the provider.
      Custom CA certificate validation is supported only for non-Docker nodes (e.g. OpenShift).
      Only Defenders installed on CRI runtime with containerd can scan and validate the custom CA certificate. Ensure that the Custom CA certificate that you use is not revoked by the issuing authority.
    10. In
      OS type
      , specify whether the repo holds
    11. In
      Scanners scope
      , specify the collections of defenders to use for the scan.
      The console selects the available Defenders from the scope to execute the scan job according to the
      Number of scanners
      setting. For more information, see deployment patterns.
    12. In
      Number of scanners
      , enter the number of Defenders across which scan jobs can be distributed.
    13. Cap
      the number of images to scan.
      specifies the maximum number of images to scan in the given repository, sorted according to the last modified date.
      To scan all images in a repository, set
      to 0.
      For a complete explanation of
      , see the table in registry scan settings.
    14. Click
  4. Click
    Save and scan
    Verify that the images in the repository are being scanned under
    Monitor > Vulnerabilities > Images > Registries

Scan only the cached images in a repo

  1. To only scan the cached images in a repo, use
    Repository type
    virtual repo
    1. artifactory.docker.cache.remote.repo.tags.and.catalog=<upstream-url>, where, <upstream url> is a single URL or a list of repository URLs that you want to configure as a remote repository.
    2. artifactory.docker.catalogs.tags.fallback.fetch.remote.cache=true. This enables all repositories that fail to get a response from the upstream to retrieve results from the cache.
  2. Restart the artifactory for the changes to take effect. Refer to the JFrog documentation here.
  3. Refresh/delete the repository.catalog file from the remote cache before running any scans.
    Starting with jFrog server > 7.41.2, new images will get updated automatically in the repository.catalog file, so there is no need to delete the file to update it.
  4. Scan the virtual repo with Prisma Cloud registry scanning.

Last downloaded date

JFrog Artifactory lets security tools download image artifacts without impacting the value for the
Last Downloaded
date. This is especially important when you depend on artifact