TABLE OF CONTENTS

Overview

JFrog Artifactory is a binary repository manager that can serve as a secure private Docker registry. When images are added to (or replaced in) certain JFrog repositories (as configured), a Webhook notifies Aqua to scan those images.


This topic explains the configurations required to setup JFrog plugin for sending notifications to Aqua, to scan new or modified images.


A JFrog plugin provides a Webhook post request to the Aqua Server when a new image is created or existing image is modified in JFrog Artifactory. When JFrog integration is completed, Aqua pulls these images and scan them automatically. For more information on the JFrog integration, refer to General Configurations for Image Registries and Repositories.


Artifactory plugin directory

This section explains different plugin directories in the JFrog Artifactory, in which you should store webhook files to install plugin in JFrog Artifactory. Usage of the directory is explained in the Download plugin section. The directory depends on the version of JFrog Artifactory that you use currently as listed below:

  • JFrog Artifactory Version 7.x and higher: /artifactory/var/etc/artifactory/plugins 
  • JFrog Artifactory Version lower than 7.x: /opt/jfrog/artifactory/etc/plugins  

The JFrog directory location is referred as <PLUGIN_DIR> in the following procedures.


Install Webhook plugin in JFrog Artifatory

A JFrog plugin provides a Webhook post request to the Aqua Server. The plugin consists of two components:

  • webhook.groovy: the actual Artifactory plugin
  • webhook.config.json: configuration file for setting the URL and events for activation


Installation of webhook plugin in JFrog needs the following procedures as explained in the sections below:

  1. Download plugin
  2. Create the config file webhook.config.json
  3. Install the plugin in JFrog Artifactory


Download Plugin

To download the JFrog webhook plugin:

  1. Click the download link: https://download.aquasec.com/plugins/artifactory-webhook/webhook.groovy
  2. Enter the username and password which you have received from Aqua Security.
  3. Ensure that the path configured inside this file specifies the correct Artifactory plugin directory for the version of JFrog Artifactory that you use currently.

You should edit the configuration file path as shown below, only if you use JFrog Artifactory Version 7.x or higher. You should look for the CONFIG_FILE_PATH string and replace the 'artifactory.home'}/etc/plugins... text in the following configuration file path:

final String CONFIG_FILE_PATH = "${System.properties.'artifactory.home'}/etc/plugins/webhook.config.json"


with 'jfrog.home'}/artifactory/var.... as shown in the following configuration file path:

final String CONFIG_FILE_PATH = "${System.properties.'jfrog.home'}/artifactory/var/etc/artifactory/plugins/webhook.config.json"


You can use the same configuration file path, if you use JFrog Artifactory Version lower than 7.x and it does not require any edit.


Create the config file webhook.config.json

To create the webhook configuration json file:

  1. Copy the following text and create a file, webhook.config.json:

 {
  "webhooks": {
    "docker": {
      "events": [
        "docker.tagCreated"
      ],
      "repositories": [
        "*"
      ],
      "aquaConsoleAddress": "<http://aqua-console-ip:port>",
      "repoPathAccessMethod": <true/false>,
      "aquaRegistryName": "<name of the registry integration in Aqua Console>",
      "aquaUsername": "<username>",
      "aquaPassword": "<password>",
      "authHeader": "<name of authorization header used by Aqua Console, default is Authorization>",
      "enabled": true
    }
  }
}


    2. Add values to the respective keys inside the json file, by referring following description:


KeyValue
events

The events to listen to. Only docker.tagCreated is supported

repositoriesThe list of repositories on which event triggering should be enabled. You can use wildcart (*) if you want to enable to any repository.
aquaConsoleAddressURL of the Aqua Server
repoPathAccessMethodSet this to true when "Docker Access Method" under "HTTP Settings" is set to Repository Path.
aquaRegistryNameName of the registry integration in the Aqua Server configured to work with Artifactory
aquaUsernameUsername of an Aqua user with scanner permissions (a user who has permissions to execute Scanner CLI commands)
aquaPassword

Password of the user defined as aquaUsername

authHeader

Name of the authorization header used by Aqua Server. The default is Authorization. It can be modified by setting the AUTHORIZATION_HEADER environment variable in the Aqua Server container.

enabledWhether this Webhook should be enabled. This is normally set to true

Install the plugin in JFrog Artifactory

You should install the plugin in JFrog artifactory to call events API to trigger new image tag created notification to Aqua. This procedure is different for Artifactory runs as a service/process and container.


Artifactory runs as a service or a process

Take the following actions to install the plugin:

  1. Run the following commands to copy the files webhook.groovy and webhook.config.json into the Artifactory plugin directory:

cp webhook.groovy <PLUGIN_DIR>
cp webhook.config.json <PLUGIN_DIR>


       2. Restart the Artifactory service by running the following command:

sudo systemctl restart artifactory.service

Artifactory runs as a container

The following procedures explain how to copy the files webhook.groovy and webhook.config.json into the Artifactory plugin directory. The procedure is different for Kubernetes deployments and Docker deployments as explained in the following sections.


Kubernetes deployments

Take the following actions to install the plugin through Kubernetes deployment:

  1. Copy the following Kubernetes command.
  2. Replace <NAMESPACE/CONTAINER-NAME> with the actual namespace and container name, and <PLUGIN_DIR> with the directory as defined in the Artifactory plugin directory section.
  3. run the commands.

kubectl cp webhook.config.json <NAMESPACE/CONTAINER-NAME>:<PLUGIN_DIR>
kubectl cp webhook.groovy <NAMESPACE/CONTAINER-NAME>:<PLUGIN_DIR>


      4. Restart the pod, by running the following command:

kubectl restart <NAMESPACE/CONTAINER-NAME>

Docker deployments

Take the following actions to install the plugin through Docker deployment:

  1. Copy the following Docker command.
  2. Replace <CONTAINER-NAME/ID> with the actual container name and <PLUGIN_DIR> with the directory as defined in the Artifactory plugin directory section.
  3. run the commands.

docker cp webhook.config.json <CONTAINER-NAME/ID>:<PLUGIN_DIR>
docker cp webhook.groovy <CONTAINER-NAME/ID>:<PLUGIN_DIR>

     4. Restart the container, by running the following command:


docker restart <CONTAINER-NAME/ID>