1. Overview

Artifactory is a service for hosting and distributing container images. Artifactory lets you segment the service by repository key, so that you can allocate dedicated registries per project, team, or any other facet. Repositories can be accessed with the Docker client. A repository is a collection of related images, versioned by tag.

Artifactory lets you configure how images in the repository are accessed with a setting called the Docker Access Method. Twistlock supports the subdomain method and the repository method. The port method is not supported.

In the subdomain model, the repository is accessed through a reverse proxy. Each Docker repository is individually addressed by a unique value, known as the repository key, positioned in subdomain of the registry’s URL.

$ docker {pull|push} <REPOSITORY_KEY>.art.example.com/<IMAGE>:<TAG>

In the repository path model, each repository can be directly addressed. The repository key is part of the path to the image repo.

$ docker {pull|push} art.example.com:443/<REPOSITORY_KEY>/<IMAGE>:<TAG>

Artifactory recommends that the subdomain method be used for production environments. The repository model is suitable for small test setups and proof of concepts.

2. Configuring Twistlock to scan images in your registry

To scan images in a JFrog Artifactory Docker registry, create a new registry scan setting. You have a couple of options for setting up your scan.

1) Twistlock can autodiscover and scan all images in all repos across the Artifactory service for versions of Artifactory greater than or equal to 6.2.0. In the registry scan settings, set the version to JFrog Artifactory and set the registry address to your reverse proxy.

scan artifactory subdomain all

2) Scan all repositories under a registry key. Registry keys effectively subdivide the Artifactory service into stand-alone fully-compliant Docker v2 registries. In the registry scan settings, set the version to Docker Registry v2, and set the registry address to the full path to the "sub-registry". For example: https://<REPOSITORY_KEY>.example.com/.

scan artifactory subdomain single

Prerequisites

Grant Twistlock access to your repo

To scan Artifactory registries, Twistlock requires a privileged service account.

  1. Log in Twistlock Console, then go to Manage > Authentication > Credentials Store.

  2. Click Add credential.

  3. Enter a credential name, such as JFrog Artifactory.

  4. In Type, select Basic authentication.

  5. In Username, enter a username.

  6. In Password, enter a password.

  7. Click Save.

Configure the scan

After you set up your credentials, create a new registry scan setting.

  1. Open Console, then go to Defend > Vulnerabilities > Registry.

  2. Click Add registry.

  3. In the dialog, enter the following information:

    1. From the Version drop-down list, select one of:

      • JFrog Artifactory — Autodiscover and scan all images in all repos across the Artifactory service.

      • Docker Registry v2 — Scan all images in all repos under a specific repository key.

    2. In Registry, specify the address to scan.

      • If you selected JFrog Artifactory, enter the FQDN of the reverse proxy.

      • If you selected Docker Registry v2, enter the FQDN, including subdomain, of the sub-registry.

    3. In Repository, specify the repository to scan.

      If you leave this field blank or enter a wildcard, Twistlock finds and scans all repositories in the registry.

      If you specify a partial string that ends with a wildcard, Twistlock finds and scans all repositories that start with the partial string.

      If you specify an exact match, Twistlock scans just the specified repository.

    4. Do the same with the Tag field.

    5. In Credential, select the JFrog Artifactory credentials you created.

    6. In OS type, specify whether the repo holds Linux or Windows images.

    7. In Scanner, select Automatic.

      Console automatically selects an available Defender to execute the scan job. Alternatively, you can explicitly select a Defender from the drop-down list. Defenders are listed according to the hosts where they run. For more information, see deployment patterns.

    8. In Number of scanners, enter the number of Defenders across which scan jobs can be distributed.

    9. Cap the number of images to scan.

      Cap specifies the maximum number of images to scan in the given repository, sorted according to last modified date. To scan all images in a repository, set Cap to 0. For a complete explanation of Cap, see the table in registry scan settings.

    10. Click Add.

  4. Click the yellow save button.

    save button

Results

Verify that the images in the repository are being scanned.

  1. Go to Monitor > Vulnerabilities > Registry.

    A progress bar shows the status of the current scan. As the scan of each image is completed, its findings are added to the results table.

  2. To get details about the vulnerabilities in an image, click on it.

To force a specific repository to be scanned again, select it from the drop-down menu on the top right of the results table, then click the Scan button.

3. Troubleshooting

If Artifactory is deployed as an insecure registry, Defender cannot pull images for scanning without first configuring an exception in the Docker daemon configuration. Specify the URL of the insecure registry on the machine where the registry scanning Defender runs, then restart the Docker service. For more information, see the Docker documentation.