JFrog Artifactory
Artifactory is a polyglot artifact host — a single Artifactory instance can expose many Docker repositories side by side, plus Maven, npm, Helm, and so on. The non-obvious part is the URL layout: every Docker repository is its own registry, and you'll connect each one separately.
URL layouts
Artifactory supports two configurations for Docker registries; both work with HarborGuard.
| Layout | Example | Notes |
|---|---|---|
| Subdomain (recommended) | mycompany-docker-prod.jfrog.io | One DNS entry per repo; cleanest |
| Path | mycompany.jfrog.io/docker-prod | Single host, repo is the first path component |
| Repository-path on shared host | mycompany.jfrog.io/artifactory/docker-prod | Older self-hosted layout |
The wizard auto-detects *.jfrog.io as JFrog. For self-hosted Artifactory (artifactory.example.com), pick JFrog Artifactory manually.
Auth options
| Method | When to use | HarborGuard fields |
|---|---|---|
| Identity token (recommended) | Modern, scoped, revocable | Username = the user the token was issued for, Password = identity token |
| Reference / API key (legacy) | Older Artifactory versions | Username + API key |
| Username + password | Quick test, not recommended in prod | Standard fields |
| Access token (admin-issued) | Service / pipeline accounts | Username = the token's sub, Password = the token |
Add the registry
- Registries → Connect Registry.
- Registry URL — exactly as
docker loginwould expect. For subdomain layout, just the host. For path layout, host + repo path. - Cloud mode: enter username + identity token.
- Save.
If you have five Docker repos and want to scan all of them, create five HarborGuard registry connections.
Required permissions
The user / token needs:
- Read on the Docker repository.
- Annotate is not needed.
- Manage is not needed.
For an admin-issued access token: scope applied-permissions/groups:readers (or a custom group) and audience covering the Artifactory base URL.
Push-event sync
Artifactory webhooks live under Administration → General → Webhooks.
- Create a webhook with event domain Docker and event Pushed.
- URL:
https://<your-harborguard-host>/api/webhooks/jfrog. - Filter to the specific repository or repositories you want.
- Add a custom header for the shared secret (HarborGuard validates HMAC).
- Set the registry's schedule to
on_push.
Common pitfalls
- Path-style URL with a trailing slash.
mycompany.jfrog.io/docker-prod/andmycompany.jfrog.io/docker-prodare treated as different registries by HarborGuard's URL match — the wizard normalizes by stripping the trailing slash, but pre-existing connections may differ. - Virtual repositories. A Docker virtual repo aggregates local + remote repos. HarborGuard scans whatever resolves at pull time. If a virtual repo points at a remote (proxy) repo, you're scanning Docker Hub through Artifactory; see Docker Hub's rate limits.
artifactory/api/docker/<repo>is the API path, not the registry path. That path appears in JFrog REST docs but is wrong fordocker login. Use the layouts in the table above.- Onboarding a token without the matching user. Identity tokens carry an implied subject. Putting an unrelated username in the wizard alongside the token will succeed at the
/v2/probe but fail with 403 on first pull. - Cloud-hosted vs self-hosted. SaaS Artifactory (
*.jfrog.io) is reachable from cloud mode. Self-hosted often isn't — deploy a sensor.
Troubleshooting
| Symptom | Likely cause |
|---|---|
401 on test, 200 with the same creds via curl | Username doesn't match the identity token's subject |
| Catalog returns repos that aren't Docker | Path-style URL hit the Artifactory root rather than a Docker repo — use the subdomain or include the repo name |
| Sync stalls on a single very large image | Layer downloads timing out — increase scanner timeout in your settings |
| Webhook hits the right URL but never matches | Wrong event domain — must be Docker → Pushed, not Artifact → Created |