The Xray "Scan Status" API requires a sha256 checksum and artifact path in order to return the correct results. As Docker images contain multiple layer binaries, which checksum do you use?
The answer is the "manifest.json" file, which also contains the Docker image's tags as Artifactory Properties. We can find the information needed to get the Scan Status using these properties.
You need to know only the Docker image's tag, for this example it's "test:1.0":
1] Do an Artifactory Property Search to find the docker manifest.json path via the known tag. In this example it’s test:1.0 which means the docker.repoName=test and docker.manifest=1.0 in the Artifactory Properties.
curl -u admin "localhost:8081/artifactory/api/search/prop?docker.repoName=test&docker.manifest=1.0" { "results" : [ { "uri" : "http://localhost:8082/artifactory/api/storage/docker-local/test/1.0/manifest.json" } ] }
2] Follow that returned URI to get all its information:
curl -u admin http://localhost:8082/artifactory/api/storage/docker-local/test/1.0/manifest.json { "repo" : "docker-local", "path" : "/test/1.0/manifest.json", "created" : "2023-04-19T16:36:35.838Z", "createdBy" : "admin", "lastModified" : "2023-04-19T16:52:17.514Z", "modifiedBy" : "admin", "lastUpdated" : "2023-04-19T16:52:17.525Z", "downloadUri" : "http://localhost:8082/artifactory/docker-local/test/1.0/manifest.json", "mimeType" : "application/json", "size" : "942", "checksums" : { "sha1" : "caacb7582396f1a2ec6709e695edf6fa949c6fd4", "md5" : "7098d25f8b8cb37818ebbfe2d011aad3", "sha256" : "f0a13872a6ec2d7ff0dd53c4dbb72cbc1260f3d49507a0c09267182863fde77e" }, "originalChecksums" : { "sha256" : "f0a13872a6ec2d7ff0dd53c4dbb72cbc1260f3d49507a0c09267182863fde77e" }, "uri" : "http://localhost:8082/artifactory/api/storage/docker-local/test/1.0/manifest.json" }
This should provide sufficient information to run the Scan Status from Xray:
curl -u admin -H "Content-type: application/json" --data '{"path":"docker-local/test/1.0/manifest.json", "repository_pkg_type":"docker", "sha256":"f0a13872a6ec2d7ff0dd53c4dbb72cbc1260f3d49507a0c09267182863fde77e"}' localhost:8082/xray/api/v1/scan/status/artifact {"status":"scanned","is_impact_paths_recovery_required":false}
You can also use this checksum and path information to do other Xray API actions on this Docker image.