Connect JFrog container registry - Administrator Guide - Cortex CLOUD

Follow the wizard to connect your JFrog Container Registry with Cortex Cloud.

1. Navigate to Settings → Data Sources & Integrations.

2. On the Add Data Sources or Integrations page, click + Add New, search for JFrog, then hover over it and click Add.

3. Select Image scanning to continue scanning your container images.

   If you want to enable Software Composition Analysis (SCA) scanning for your private packages, then select Package resolution for code scanning and refer to JFrog Artifactory for more details.

4. The Instance Name is automatically populated. You can change it to a more meaningful name.

5. Choose the Scan Mode, and then follow the steps provided for that mode to configure the connection.

   Cloud Scan

   Security scanning is done in the Cortex cloud environment when you select this mode.

   1. Select the appropriate Cloud Provider and Region for the Cortex environment to use for registry scanning.

      As a best practice, choose the region closest to your registry deployment to achieve the best scanning throughput and potentially reduce cloud costs.

   2. (Optional) Enable Allow access by IPs to specify a static IP address for the scanner to use. Make sure the static IP is allowed through your firewall so the scanner can access the registry during the scanning process.

   3. Choose the relevant Account Type for JFrog deployments:

      JFrog Cloud (Saas)

      1. Enter your JFrog Account Name.

         For example, the scanner connects to https://myaccount.jfrog.io, where <myaccount> is your actual account name.

      2. Under Authentication Method, enter your JFrog account credentials (Username and Password) for authentication.

      JFrog Self-Hosted

      1. Enter the JFrog Artifactory URL as the Registry URL.

         For example, https://artifactory.example.com/artifactory, where <artifactory.example.com> is your server's domain or IP address.

      2. Under Authentication Method, enter your JFrog user credentials (Username and Password) for authentication.

      3. (Optional) Expand Show Advanced Settings, and then enter the CA certificate in PEM format for Cortex to validate the JFrog Artifactory registry.

   4. Select Next.

   Scan with Outpost

   Security scanning is done on infrastructure deployed to a cloud account that you own. This mode requires additional cloud provider permissions and may incur extra costs.

   Prerequisite:

   Ensure an Outpost is connected to your tenant.

   1. Choose a Cloud Provider to initialize registry scanning.

      Note

      If you choose Azure as the Cloud Provider, you must also select the Tenant Id. The Tenant Id is required to approve Cortex as an enterprise application in your Azure tenant.

   2. Choose Outpost account to use for this instance. If no Outposts are shown, you can Create a new one. For more details, see Outposts.

      Note

      If you choose Azure as the cloud provider, only Outposts associated with the selected tenant ID are displayed.

   3. Select the Region where the registry is hosted.

   4. (Optional) Enable Allow access by IPs if you want to specify a static IP address for the scanner to use. Make sure the static IP is allowed through your firewall so that the scanner can access the registry during the scanning process.

   5. Choose the relevant Account Type for JFrog deployments:

      JFrog Cloud (Saas)

      1. Enter your JFrog Account Name.

         For example, the scanner connects to https://myaccount.jfrog.io, where <myaccount> is your actual account name.

      2. Under Authentication Method, enter your JFrog account credentials (Username and Password) for authentication.

      JFrog Self-Hosted

      1. Enter the JFrog Artifactory URL as the Registry URL.

         For example, https://artifactory.example.com/artifactory, where <artifactory.example.com> is your server's domain or IP address.

      2. Under Authentication Method, enter your JFrog user credentials (Username and Password) for authentication.

      3. (Optional) Expand Show Advanced Settings, and then enter the custom CA certificate in PEM format for Cortex to validate the JFrog Artifactory registry.

   6. Select Next.

   Scan with Broker VM

   Security scanning in private networks is done using broker VM infrastructure when you select this mode.

   Prerequisite:

   • Set up and configure Broker VM

   • Configure High Availability Cluster

   1. Choose a Scan with Broker VM mode to initiate registry scanning. You can select either a standalone Broker VM or a High Availability (HA) Cluster.

   2. Select Applicable Broker VMs.

      Choose the appropriate Broker VM or Cluster from the list configured in your tenant.

      Note

      • The list of Broker VMs displays only VMs that support registry scanning.

      • The list of high-availability Clusters displays only clusters that contain at least one VM supporting registry scanning.

      • The registry scanning status for each VM appears in brackets if it was previously activated for that specific VM.

      If the list does not display any Broker VMs or Clusters, Add New Broker VM or Add New Cluster. For more details, see Set up and configure Broker VM.

   3. Choose the relevant Account Type for JFrog deployments:

      JFrog Cloud (Saas)

      1. Enter your JFrog Account Name.

         For example, the scanner connects to https://myaccount.jfrog.io, where <myaccount> is your actual account name.

      2. Under Authentication Method, enter your JFrog account credentials (Username and Password) for authentication.

      JFrog Self-Hosted

      1. Enter the JFrog Artifactory URL as the Registry URL.

         For example, https://artifactory.example.com/artifactory, where <artifactory.example.com> is your server's domain or IP address.

      2. Under Authentication Method, enter your JFrog user credentials (Username and Password) for authentication.

      3. (Optional) Expand Show Advanced Settings.

         1. Select Use insecure connection to pull images if you want to allow image pull from the registry over an HTTP connection instead of HTTPS.

         2. Enter the CA certificate in PEM format for Cortex to validate the JFrog Artifactory registry.

   4. Select Next.

6. In Initial Scan Configuration, set your scanning process to focus on recently added or modified container images and exclude older ones that do not align with your current scanning objectives. This setting helps avoid unnecessary scans. Choose one of the following options:

   • All: Scans all container images, including all versions (tags), in all discovered repositories.

   • Latest Tag: Scans only images tagged 'latest' in all discovered repositories.

   • Days Modified: Scans container images created or modified in the last few days. You can select a range of up to 90 days for the scan.

7. Select Save.

   When the JFrog data source is saved successfully, a new data connector is created, and the initial discovery scan is started. The connection process may take up to 15 minutes.

8. To check connector status and scan results, follow these steps:

   1. Navigate to Settings → Data Sources & Integrations.

   2. Find the JFrog Artifactory instance from the list of 3rd Party Data Sources connectors, or use Search.

   3. In the JFrog Artifactory instance row, select View Details. The JFrog Artifactory Instances page appears.

   4. On the JFrog Artifactory Instances page, you can filter results by any heading and value.

   5. Select an instance name to open the details pane. The details pane contains the following granular information:

      Instance Details	Description
      Status	Shows the status of the connector: Connected, Error, Warning, Disabled, or Pending.
      Applet Status on Broker VM	Shows the status of the Registry Scanner applet on the Broker VM page. This status is visible only when the Scan with Broker VM mode is selected.
      Repositories	Shows the number of scanned repositories in the registry.
      Scan Mode	Shows the selected scan mode for the data connector, such as Cloud Scan, Scan with Outpost, or Scan with Broker VM.
      Security Capabilities	Shows a breakdown of the security capabilities enabled on the instance and their individual statuses. For example, select Registry Scanning when it shows a warning or error status to see the open errors and issues that contributed to the status.

9. Next Steps.

   • After the scan is complete, you can view the list of scanned images on the Container Images Inventory page. For more details, see Container Image assets.Container Images

   • If you have selected the Scan with Broker VM option, then a Registry Scanner applet is created on the selected Broker VM or Cluster. For details, see Verify Registry Scanner connection.