Feature/jfrog registry scan#66
Merged
Merged
Conversation
Move the canonical test-image list (TEST_REPOS, UPSTREAM_TEST_IMAGES,
push_test_images) into manifests/test-images.sh, sourced by both Quay
setup and teardown. Eliminates the ~200 lines of inline image catalog
that would otherwise have to be duplicated by the upcoming JFrog
scripts.
quay-setup.sh: 622 → 424 lines.
quay-teardown.sh: 322 → 287 lines.
No behavioural change; the helpers (pull_tag_push, add_tag,
build_and_push) remain in each setup script so they can keep using
their own ${ORG} (Quay) or ${REPO} (JFrog) destination layout.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Add manifests/jfrog/jfrog-setup.sh and jfrog-teardown.sh, mirror of
the Quay scripts. Authenticate via Bearer access token; reuse the
Containerfile contexts under manifests/quay/deep-scan-images/ and the
shared catalog from manifests/test-images.sh.
The repository pre-flight uses GET /api/repositories?type=local rather
than the per-repo configuration endpoint, which is gated to Artifactory
Pro and returns HTTP 400 on Community Edition. Validated end-to-end
against an Artifactory 7.146.8 CE instance: 22 images pushed, then
deleted via DELETE /artifactory/{repo}/{image}.
CI: trigger on feature/jfrog-registry-scan and bash -n syntax-check
all scripts under manifests/.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Quay registry scans now emit "quay" in the CSV `source` column; "jfrog" is reserved for the upcoming JFrog scan mode (Fase 3). The HTML reporter's `_compute_source_mode` is extended to recognise both new single-source values, returning "mixed" otherwise. Breaking change for downstream consumers that filter on `source == "registry"`. CSV files generated by older releases still parse, but will be classified as "mixed" or "unknown" by the HTML report. Done as a preparatory step before introducing JfrogClient and JfrogCollector so all future commits emit the correct value from day one. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Move the include/exclude/latest-only tag filtering logic out of RegistryCollector._filter_tags into a new src/_registry_filters.py module. The method is kept on the class as a thin wrapper so existing direct callers (notably the tests) continue to work unchanged. The shared function will be reused by JfrogCollector in the upcoming JFrog scan mode, avoiding duplicated fnmatch/start_ts logic. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New scan mode mirroring the Quay flow but talking to a JFrog Artifactory Docker repository. Activated by --jfrog-url, mutually exclusive with --api-url and --registry-url; emits source="jfrog" in the unified CSV. Modules: - src/jfrog_client.py: JfrogClient with Bearer auth, system/ping, list_repositories?type=local + check_repository (CE-friendly), Docker Registry v2 catalog/tags, and storage-info enrichment to produce start_ts epoch values compatible with filter_tags. The ping endpoint overrides Accept to text/plain to avoid HTTP 406. - src/jfrog_collector.py: JfrogCollector mapping repo/image/tag onto the unified schema (registry_org=repo, registry_repo=image, image_name=host/repo/image:tag). Validated end-to-end against an Artifactory 7.146.8 CE instance: 21 images collected with source=jfrog, schema-compatible CSV. CLI: - New flags --jfrog-url/--jfrog-token/--jfrog-repo/--jfrog-image/ --jfrog-username (with JFROG_* env-var fallbacks). - Triple mutual exclusion between --api-url, --registry-url, --jfrog-url. - Banner, help text and epilog updated to advertise the third mode. src/auth_utils.generate_registry_auth_json grows an optional ``username`` parameter so JFrog can pass its login user (defaults to $oauthtoken to preserve Quay behaviour). Tests: 53 new (30 client, 12 collector, 11 CLI). Total suite 617. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
README: extend the intro/Features lists with JFrog support, add a "JFrog Container Registry Mode Prerequisites" section, expand the mode-comparison table to three columns (OpenShift / Quay / JFrog) including the CSV `source` value mapping, add a Container "Run (JFrog mode)" example, and a full "JFrog Container Registry Scan Mode" Usage section covering basic usage, single-image scan, self-hosted CE setup, token generation, env-var fallbacks, and --resume. Disambiguate the older "Registry mode" references to "Quay mode" now that there is a second registry mode. CLAUDE.md: bump the architecture overview to three collectors, list `src/jfrog_client.py` + `src/jfrog_collector.py` and the shared `src/_registry_filters.py`, note the CE-friendly REST endpoint set, document the triple `--api-url` / `--registry-url` / `--jfrog-url` mutual exclusion, and explain the `username` parameter on `generate_registry_auth_json`. Update the state-file note to mention JFrog as a possible target. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
Tag v2.5 was cut on 2026-04-18, not 2026-05-18. Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
New top-level quay-vs-jfrog.md captures the differences between the
Quay REST API and the JFrog Artifactory + Docker Registry v2 API set
that the two client modules in src/ have to reconcile. Covers:
hierarchy and CSV-schema mapping, endpoint-by-endpoint comparison,
pagination styles, server- vs client-side filtering, cost/latency
trade-offs (most notably JFrog's per-tag /api/storage round trips),
deletion asymmetries, and the Pro-vs-CE endpoint split that drives
the avoidance of /api/repositories/{key} on Community Edition.
Companion to feat(jfrog) — explains the why behind the JfrogClient
implementation choices, useful when porting Quay logic forward or
extending either client.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
amedeos
force-pushed
the
feature/jfrog-registry-scan
branch
from
0bd119d to
f517e7e
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
No description provided.