docker · dvdksn · Dec 5, 2024
@@ -36,13 +36,18 @@ The metrics endpoint exposes the following metrics:
 
 ## Creating an access token
 
-To export metrics from your organization, first make sure your organization is enrolled in Docker Scout.
-Then, create a Personal Access Token (PAT) - a secret token that allows the exporter to authenticate with the Docker Scout API.
+To export metrics from your organization, first make sure your organization is
+enrolled in Docker Scout. Then, create either an organization access token or a
+personal access token. These tokens are used to authenticate to Docker Scout.
 
-The PAT does not require any specific permissions, but it must be created by a user who is an owner of the Docker organization.
-To create a PAT, follow the steps in [Create an access token](/security/for-developers/access-tokens/#create-an-access-token).
+The access token does not require any specific permissions, but if you choose
+to use a personal access token, it must be created by a user who is an owner of
+the Docker organization.
 
-Once you have created the PAT, store it in a secure location.
+For instructions on how to create an access token, follow the steps in [Create
+an access token](/security/for-developers/access-tokens/#create-an-access-token).
+
+Once you have created the access token, store it in a secure location.
 You will need to provide this token to the exporter when scraping metrics.
 
 ## Prometheus
@@ -70,11 +75,11 @@ Make sure that there's no firewall rule in place preventing the server from comm
 
 ### Add bearer token authentication
 
-To scrape metrics from the Docker Scout Exporter endpoint using Prometheus, you need to configure Prometheus to use the PAT as a bearer token.
-The exporter requires the PAT to be passed in the `Authorization` header of the request.
+To scrape metrics from the Docker Scout Exporter endpoint using Prometheus, you need to configure Prometheus to use the Docker access token as a bearer token.
+The exporter requires the access token to be passed in the `Authorization` header of the request.
 
 Update the Prometheus configuration file to include the `authorization` configuration block.
-This block defines the PAT as a bearer token stored in a file:
+This block defines the access token as a bearer token stored in a file:
 
 ```yaml
 scrape_configs:
@@ -84,10 +89,10 @@ scrape_configs:
       credentials_file: /etc/prometheus/token
 ```
 
-The content of the file should be the PAT in plain text:
+The content of the file should be the access token in plain text:
 
 ```console
-dckr_pat_...
+dckr_oat_...
 ```
 
 If you are running Prometheus in a Docker container or Kubernetes pod, mount the file into the container using a volume or secret.
@@ -112,7 +117,7 @@ alongside Grafana with a pre-configured dashboard to visualize the vulnerability
    and store it in a plain text file at `/prometheus/prometheus/token` under the template directory.
 
    ```plaintext {title=token}
-   $ echo $DOCKER_PAT > ./prometheus/token
+   $ echo $DOCKER_TOKEN > ./prometheus/token
    ```
 
 3. In the Prometheus configuration file at `/prometheus/prometheus/prometheus.yml`,
@@ -245,7 +250,7 @@ and a Datadog site.
    and store it in a plain text file at `/datadog/token` under the template directory.
 
    ```plaintext {title=token}
-   $ echo $DOCKER_PAT > ./token
+   $ echo $DOCKER_TOKEN > ./token
    ```
 
 3. In the `/datadog/compose.yaml` file, update the `DD_API_KEY` and `DD_SITE` environment variables
@@ -346,8 +351,8 @@ To change the scrape interval:
 
 ## Revoke an access token
 
-If you suspect that your PAT has been compromised or is no longer needed, you can revoke it at any time.
-To revoke a PAT, follow the steps in the [Create and manage access tokens](/security/for-developers/access-tokens/#modify-existing-tokens).
+If you suspect that your access token has been compromised or is no longer needed, you can revoke it at any time.
+To revoke an access token, follow the steps in the [Create and manage access tokens](/security/for-developers/access-tokens/#modify-existing-tokens).
 
-Revoking a PAT immediately invalidates the token, and prevents Prometheus from scraping metrics using that token.
-You will need to create a new PAT and update the Prometheus configuration to use the new token.
+Revoking an access token immediately invalidates the token, and prevents Prometheus from scraping metrics using that token.
+You will need to create a new access token and update the Prometheus configuration to use the new token.
@@ -18,9 +18,9 @@ CLI commands, and the corresponding `docker/scout-cli` container image:
 | DOCKER_SCOUT_OFFLINE                    | Boolean | Use [offline mode](#offline-mode) when indexing SBOM                                        |
 | DOCKER_SCOUT_REGISTRY_TOKEN             | String  | Token for authenticating to a registry when pulling images                                  |
 | DOCKER_SCOUT_REGISTRY_USER              | String  | Username for authenticating to a registry when pulling images                               |
-| DOCKER_SCOUT_REGISTRY_PASSWORD          | String  | Password or personal access token for authenticating to a registry when pulling images      |
+| DOCKER_SCOUT_REGISTRY_PASSWORD          | String  | Password or access token for authenticating to a registry when pulling images               |
 | DOCKER_SCOUT_HUB_USER                   | String  | Docker Hub username for authenticating to the Docker Scout backend                          |
-| DOCKER_SCOUT_HUB_PASSWORD               | String  | Docker Hub password or personal access token for authenticating to the Docker Scout backend |
+| DOCKER_SCOUT_HUB_PASSWORD               | String  | Docker Hub password or access token for authenticating to the Docker Scout backend          |
 | DOCKER_SCOUT_NEW_VERSION_WARN           | Boolean | Warn about new versions of the Docker Scout CLI                                             |
 | DOCKER_SCOUT_EXPERIMENTAL_WARN          | Boolean | Warn about experimental features                                                            |
 | DOCKER_SCOUT_EXPERIMENTAL_POLICY_OUTPUT | Boolean | Disable experimental output for policy evaluation                                           |

@@ -115,8 +115,8 @@ Use the `docker/scout-cli` to run `docker scout` commands without installing the
 
 ```console
 $ docker run -it \
-  -e DOCKER_SCOUT_HUB_USER=<your Docker Hub user name> \
-  -e DOCKER_SCOUT_HUB_PASSWORD=<your Docker Hub PAT>  \
+  -e DOCKER_SCOUT_HUB_USER=<your-docker-username> \
+  -e DOCKER_SCOUT_HUB_PASSWORD=<your-docker-token>  \
   docker/scout-cli <command>
 ```
 

@@ -20,7 +20,7 @@ refer to the [CLI reference](/reference/cli/docker/scout/environment.md).
 Before you start, set the following environment variables in your CI system:
 
 - `DOCKER_SCOUT_HUB_USER`: your Docker Hub username
-- `DOCKER_SCOUT_HUB_PASSWORD`: your Docker Hub personal access token
+- `DOCKER_SCOUT_HUB_PASSWORD`: your Docker Hub access token
 
 Make sure the variables are accessible to your project.
 

@@ -90,13 +90,19 @@ The configuration file includes the following properties:
 | --------------------------- | ------------------------------------------------------------------------------- |
 | `agent_id`                  | Unique identifier for the agent.                                                |
 | `docker.organization_name`  | Name of the Docker organization.                                                |
-| `docker.username`           | Username of the admin user in the Docker organization.                          |
-| `docker.pat`                | Personal access token of the admin user with read and write permissions.        |
+| `docker.username`           | Docker organization, or the username of a Docker organization owner.            |
+| `docker.pat`                | Docker access token. [^1]                                                       |
 | `artifactory.base_url`      | Base URL of the Artifactory instance.                                           |
 | `artifactory.username`      | Username of the Artifactory user with read permissions that the agent will use. |
 | `artifactory.password`      | Password or API token for the Artifactory user.                                 |
 | `artifactory.image_filters` | Optional: List of repositories and images to analyze.                           |
 
+[^1]:
+    If you specify a Docker organization as `docker.username`, you must use an
+    organization access token for `docker.pat`. If `docker.username` refers to
+    the username of an organization owner, `docker.pat` must be a personal
+    access token created for that user.
+
 If you don't specify any repositories in `artifactory.image_filters`, the agent
 runs image analysis on all images in your Artifactory instance.
 

@@ -15,7 +15,6 @@ The organization access tokens feature is currently in [Beta](../../release-life
 > Organization access tokens aren't currently compatible with the following services:
 >
 > - Docker Build Cloud
-> - Docker Scout
 > - Docker REST APIs
 >
 > If you use these services, you must use personal access tokens instead.