diff --git a/content/manuals/scout/explore/metrics-exporter.md b/content/manuals/scout/explore/metrics-exporter.md index 5426d265a8b..526da7f71a0 100644 --- a/content/manuals/scout/explore/metrics-exporter.md +++ b/content/manuals/scout/explore/metrics-exporter.md @@ -36,13 +36,18 @@ The metrics endpoint exposes the following metrics: ## Creating an access token -To export metrics from your organization, first make sure your organization is enrolled in Docker Scout. -Then, create a Personal Access Token (PAT) - a secret token that allows the exporter to authenticate with the Docker Scout API. +To export metrics from your organization, first make sure your organization is +enrolled in Docker Scout. Then, create either an organization access token or a +personal access token. These tokens are used to authenticate to Docker Scout. -The PAT does not require any specific permissions, but it must be created by a user who is an owner of the Docker organization. -To create a PAT, follow the steps in [Create an access token](/security/for-developers/access-tokens/#create-an-access-token). +The access token does not require any specific permissions, but if you choose +to use a personal access token, it must be created by a user who is an owner of +the Docker organization. -Once you have created the PAT, store it in a secure location. +For instructions on how to create an access token, follow the steps in [Create +an access token](/security/for-developers/access-tokens/#create-an-access-token). + +Once you have created the access token, store it in a secure location. You will need to provide this token to the exporter when scraping metrics. ## Prometheus @@ -70,11 +75,11 @@ Make sure that there's no firewall rule in place preventing the server from comm ### Add bearer token authentication -To scrape metrics from the Docker Scout Exporter endpoint using Prometheus, you need to configure Prometheus to use the PAT as a bearer token. -The exporter requires the PAT to be passed in the `Authorization` header of the request. +To scrape metrics from the Docker Scout Exporter endpoint using Prometheus, you need to configure Prometheus to use the Docker access token as a bearer token. +The exporter requires the access token to be passed in the `Authorization` header of the request. Update the Prometheus configuration file to include the `authorization` configuration block. -This block defines the PAT as a bearer token stored in a file: +This block defines the access token as a bearer token stored in a file: ```yaml scrape_configs: @@ -84,10 +89,10 @@ scrape_configs: credentials_file: /etc/prometheus/token ``` -The content of the file should be the PAT in plain text: +The content of the file should be the access token in plain text: ```console -dckr_pat_... +dckr_oat_... ``` If you are running Prometheus in a Docker container or Kubernetes pod, mount the file into the container using a volume or secret. @@ -112,7 +117,7 @@ alongside Grafana with a pre-configured dashboard to visualize the vulnerability and store it in a plain text file at `/prometheus/prometheus/token` under the template directory. ```plaintext {title=token} - $ echo $DOCKER_PAT > ./prometheus/token + $ echo $DOCKER_TOKEN > ./prometheus/token ``` 3. In the Prometheus configuration file at `/prometheus/prometheus/prometheus.yml`, @@ -245,7 +250,7 @@ and a Datadog site. and store it in a plain text file at `/datadog/token` under the template directory. ```plaintext {title=token} - $ echo $DOCKER_PAT > ./token + $ echo $DOCKER_TOKEN > ./token ``` 3. In the `/datadog/compose.yaml` file, update the `DD_API_KEY` and `DD_SITE` environment variables @@ -346,8 +351,8 @@ To change the scrape interval: ## Revoke an access token -If you suspect that your PAT has been compromised or is no longer needed, you can revoke it at any time. -To revoke a PAT, follow the steps in the [Create and manage access tokens](/security/for-developers/access-tokens/#modify-existing-tokens). +If you suspect that your access token has been compromised or is no longer needed, you can revoke it at any time. +To revoke an access token, follow the steps in the [Create and manage access tokens](/security/for-developers/access-tokens/#modify-existing-tokens). -Revoking a PAT immediately invalidates the token, and prevents Prometheus from scraping metrics using that token. -You will need to create a new PAT and update the Prometheus configuration to use the new token. +Revoking an access token immediately invalidates the token, and prevents Prometheus from scraping metrics using that token. +You will need to create a new access token and update the Prometheus configuration to use the new token. diff --git a/content/manuals/scout/how-tos/configure-cli.md b/content/manuals/scout/how-tos/configure-cli.md index d65cc660840..49b57c311cf 100644 --- a/content/manuals/scout/how-tos/configure-cli.md +++ b/content/manuals/scout/how-tos/configure-cli.md @@ -18,9 +18,9 @@ CLI commands, and the corresponding `docker/scout-cli` container image: | DOCKER_SCOUT_OFFLINE | Boolean | Use [offline mode](#offline-mode) when indexing SBOM | | DOCKER_SCOUT_REGISTRY_TOKEN | String | Token for authenticating to a registry when pulling images | | DOCKER_SCOUT_REGISTRY_USER | String | Username for authenticating to a registry when pulling images | -| DOCKER_SCOUT_REGISTRY_PASSWORD | String | Password or personal access token for authenticating to a registry when pulling images | +| DOCKER_SCOUT_REGISTRY_PASSWORD | String | Password or access token for authenticating to a registry when pulling images | | DOCKER_SCOUT_HUB_USER | String | Docker Hub username for authenticating to the Docker Scout backend | -| DOCKER_SCOUT_HUB_PASSWORD | String | Docker Hub password or personal access token for authenticating to the Docker Scout backend | +| DOCKER_SCOUT_HUB_PASSWORD | String | Docker Hub password or access token for authenticating to the Docker Scout backend | | DOCKER_SCOUT_NEW_VERSION_WARN | Boolean | Warn about new versions of the Docker Scout CLI | | DOCKER_SCOUT_EXPERIMENTAL_WARN | Boolean | Warn about experimental features | | DOCKER_SCOUT_EXPERIMENTAL_POLICY_OUTPUT | Boolean | Disable experimental output for policy evaluation | diff --git a/content/manuals/scout/install.md b/content/manuals/scout/install.md index eeb546ad4e5..5b33517a286 100644 --- a/content/manuals/scout/install.md +++ b/content/manuals/scout/install.md @@ -115,8 +115,8 @@ Use the `docker/scout-cli` to run `docker scout` commands without installing the ```console $ docker run -it \ - -e DOCKER_SCOUT_HUB_USER= \ - -e DOCKER_SCOUT_HUB_PASSWORD= \ + -e DOCKER_SCOUT_HUB_USER= \ + -e DOCKER_SCOUT_HUB_PASSWORD= \ docker/scout-cli ``` diff --git a/content/manuals/scout/integrations/environment/cli.md b/content/manuals/scout/integrations/environment/cli.md index 8ebb44ae347..fe9176d09ce 100644 --- a/content/manuals/scout/integrations/environment/cli.md +++ b/content/manuals/scout/integrations/environment/cli.md @@ -20,7 +20,7 @@ refer to the [CLI reference](/reference/cli/docker/scout/environment.md). Before you start, set the following environment variables in your CI system: - `DOCKER_SCOUT_HUB_USER`: your Docker Hub username -- `DOCKER_SCOUT_HUB_PASSWORD`: your Docker Hub personal access token +- `DOCKER_SCOUT_HUB_PASSWORD`: your Docker Hub access token Make sure the variables are accessible to your project. diff --git a/content/manuals/scout/integrations/registry/artifactory.md b/content/manuals/scout/integrations/registry/artifactory.md index cc0d1774e5f..cf72876d69c 100644 --- a/content/manuals/scout/integrations/registry/artifactory.md +++ b/content/manuals/scout/integrations/registry/artifactory.md @@ -90,13 +90,19 @@ The configuration file includes the following properties: | --------------------------- | ------------------------------------------------------------------------------- | | `agent_id` | Unique identifier for the agent. | | `docker.organization_name` | Name of the Docker organization. | -| `docker.username` | Username of the admin user in the Docker organization. | -| `docker.pat` | Personal access token of the admin user with read and write permissions. | +| `docker.username` | Docker organization, or the username of a Docker organization owner. | +| `docker.pat` | Docker access token. [^1] | | `artifactory.base_url` | Base URL of the Artifactory instance. | | `artifactory.username` | Username of the Artifactory user with read permissions that the agent will use. | | `artifactory.password` | Password or API token for the Artifactory user. | | `artifactory.image_filters` | Optional: List of repositories and images to analyze. | +[^1]: + If you specify a Docker organization as `docker.username`, you must use an + organization access token for `docker.pat`. If `docker.username` refers to + the username of an organization owner, `docker.pat` must be a personal + access token created for that user. + If you don't specify any repositories in `artifactory.image_filters`, the agent runs image analysis on all images in your Artifactory instance. diff --git a/content/manuals/security/for-admins/access-tokens.md b/content/manuals/security/for-admins/access-tokens.md index f19bcedb9d9..133072804cb 100644 --- a/content/manuals/security/for-admins/access-tokens.md +++ b/content/manuals/security/for-admins/access-tokens.md @@ -15,7 +15,6 @@ The organization access tokens feature is currently in [Beta](../../release-life > Organization access tokens aren't currently compatible with the following services: > > - Docker Build Cloud -> - Docker Scout > - Docker REST APIs > > If you use these services, you must use personal access tokens instead.