Managing Docker with JFrog CLI

JFrog Applications and CLI Documentation
 

The JFrog CLI provides comprehensive integration with Docker, enabling you to run any Docker command through the jf docker interface. For key commands (push, pull, build/buildx, scan), the CLI provides enhanced functionality including automatic build-info collection and Xray vulnerability scanning.

When you use jf docker commands (for example, jf docker push, jf docker pull), the CLI acts as an intermediary layer that provides Artifactory-aware capabilities such as:

  • Use jf docker login to automatically authenticate your Docker client with Artifactory, allowing you to perform all Docker-related operations without manually managing credentials

  • Build-info collection for container images

  • Xray security scanning integration

  • Image layer tracking

The JFrog CLI for Docker operates in a Wrapped Mode where specific commands (push, pull, build/buildx, login, scan) have enhanced functionality. Other Docker commands are passed through to the native Docker client.

Modes of Operation

Wrapped Mode (Default for key commands)

For push, pull, build, login, and scan commands, the CLI provides enhanced functionality including:

  • Automatic login to Artifactory Docker registries

  • Build-info collection

  • Xray scanning

Native Passthrough (Other commands)

For all other Docker commands, the CLI passes arguments directly to the native Docker client without modification.

Command Reference

Syntax

jf docker <docker subcommand> [docker arguments] [command options]

Supported Subcommands

Subcommand

Description

login

Login to an Artifactory Docker registry

build

Build a Docker image with build-info collection

push

Push an image to Artifactory

pull

Pull an image from Artifactory

scan

Scan a local image with Xray

(other)

Any other Docker command

Common Command Options

Flag

Description

Default

--build-name

Build name for build-info collection. Requires --build-number.

None

--build-number

Build number for build-info collection. Requires --build-name.

None

--module

Optional module name for the build-info.

None

--project

JFrog Project key for the build-info.

None

--server-id

Server ID configured using jf config.

Default server

--skip-login

Skip automatic login to registry.

false

--threads

Number of threads for parallel operations.

3

--detailed-summary

Include detailed summary in output.

false

--validate-sha

Validate SHA256 checksums after push.

false

Workflow

Step 1: Configure Artifactory Server

jf config add my-server \
  --url=https://mycompany.jfrog.io \
  --access-token=<ACCESS_TOKEN>

Step 2: Login to Docker Registry

jf docker login mycompany.jfrog.io

The CLI will automatically use credentials from the configured server.

With explicit credentials:

jf docker login mycompany.jfrog.io \
  --username=<USERNAME> \
  --password=<PASSWORD>

Step 3: Build an Image

jf docker build -t mycompany.jfrog.io/docker-local/myapp:1.0 . \
  --build-name=docker-build \
  --build-number=1

Step 4: Push to Artifactory

jf docker push mycompany.jfrog.io/docker-local/myapp:1.0 \
  --build-name=docker-build \
  --build-number=1

Step 5: Publish Build-Info

jf rt bp docker-build 1
Command Details: jf docker login

Login to an Artifactory Docker registry.

jf docker login [registry-url] [options]

Flag

Description

--username

Registry username

--password

Registry password

--server-id

Server ID for authentication

jf docker login
jf docker login mycompany.jfrog.io
jf docker login mycompany.jfrog.io -u admin -p password
jf docker login mycompany.jfrog.io --server-id=prod

When run without arguments, the command automatically fetches the registry URL and authentication details from your default JFrog CLI configuration.

Command Details: jf docker build / buildx

Note:  JFrog CLI is compatible with both storage engines—the legacy overlay2 and the newer containerd-snapshotter.

jf docker build [docker build options] [options]

Flag

Description

Default

--build-name

Build name for build-info

None

--build-number

Build number for build-info

None

--server-id

Server ID

Default server

The CLI automatically logs into the registry before building if the image tag references an Artifactory registry.

jf docker build -t mycompany.jfrog.io/docker-local/myapp:1.0 . \
  --build-name=app-build \
  --build-number=42

jf docker build -t mycompany.jfrog.io/docker-local/myapp:1.0 . --push \
  --build-name=app-build \
  --build-number=42

jf docker buildx build \
  --platform linux/amd64,linux/arm64 \
  -t mycompany.jfrog.io/docker-local/myapp:1.0 . \
  --push \
  --build-name=multiarch-build \
  --build-number=1
Command Details: jf docker push and pull
jf docker push <image:tag> [options]
jf docker pull <image:tag> [options]

Flag

Description

Default

--build-name

Build name for build-info

None

--build-number

Build number for build-info

None

--module

Module name for build-info

None

--project

JFrog Project key

None

--server-id

Server ID

Default server

--skip-login

Skip automatic login

false

--threads

Parallel upload threads

3

--detailed-summary

Show detailed summary

false

--validate-sha

Validate SHA checksums

false

jf docker push mycompany.jfrog.io/docker-local/myapp:1.0 \
  --build-name=app-build \
  --build-number=1

jf docker pull mycompany.jfrog.io/docker-remote/nginx:latest \
  --build-name=nginx-build \
  --build-number=1
Command Details: jf docker scan
jf docker scan <image:tag> [options]

Scan a local Docker image for security vulnerabilities using JFrog Xray.

jf docker scan myapp:1.0
jf docker scan myapp:1.0 --project my-project --fail
jf docker scan myapp:1.0 --format=json
jf docker scan myapp:1.0 --min-severity=High
jf docker scan myapp:1.0 --fixable-only
jf docker scan myapp:1.0 --watches my-watch
jf docker scan myapp:1.0 --repo-path docker-local/releases/
jf docker scan myapp:1.0 --sbom --sca --format=table
jf docker scan myapp:1.0 --secrets
jf docker scan myapp:1.0 --sca --secrets --validate-secrets
jf docker scan myapp:1.0 --sca --without-contextual-analysis
Native Mode Workflow, Examples, and FAQ

Native Mode Workflow

docker login mycompany.jfrog.io -u <USERNAME> -p <PASSWORD>
docker build -t mycompany.jfrog.io/docker-local/myapp:1.0 .
docker push mycompany.jfrog.io/docker-local/myapp:1.0
    
jf rt bdc docker-local \
  --image-file=image-file.txt \
  --build-name=docker-build \
  --build-number=1

Examples

jf docker login mycompany.jfrog.io --server-id=prod
jf docker build -t mycompany.jfrog.io/docker-local/myapp:${VERSION} .
jf docker push mycompany.jfrog.io/docker-local/myapp:${VERSION}
jf docker scan mycompany.jfrog.io/docker-local/myapp:${VERSION}
jf rt bp myapp ${BUILD_NUMBER}

Frequently Asked Questions

Q: Why do I need to use jf docker instead of native docker?

A: Using jf docker provides automatic authentication, build-info collection, and Xray scanning integration.

Q: Does jf docker work with Docker Buildx?

A: Yes. The CLI passes through buildx commands to the native Docker client.

Q: Can I skip the automatic login?

A: Yes. Use the --skip-login flag if you want to manage login separately.