search

jfrog / jfrog-cli

JFrog CLI is a client that provides a simple interface that automates access to the JFrog products.
https://www.jfrog.com/confluence/display/CLI/JFrog+CLI
Apache License 2.0
536 stars 234 forks source link

Feature request support for Access Token flag in "jf docker scan" command #2162

Open Mandy4242 opened 1 year ago

Mandy4242 commented 1 year ago

Dear JFrog Team,

I am a user of the JFrog CLI and have been utilizing the "jf docker scan" command for scanning our docker images. I find the CLI to be an invaluable tool for managing and securing my artifacts and docker images.

I am writing for a feature enhancement that could streamline the process of using the "jf docker scan" command. Currently, before running the "jf docker scan" command, we need to execute the "jf c add" command to provide the JFrog artifact URL and token. While this approach works, but instead of storing token in config file we want pass token with command itself.

My feature request is to introduce an "access-token" flag directly within the "jf docker scan" command. This would allow users to provide the access token as an argument when executing the scan command, eliminating the need for a separate step to add the token. Here is an example of what the command could look like:

jf docker scan --access-token <your-access-token>

Implementing this enhancement would simplify the workflow and make the usage of the CLI even more intuitive.

I understand that your team's resources are limited and that feature decisions are made carefully. However, I believe that this enhancement could benefit many users who are looking to improve their efficiency and experience with the JFrog CLI.

Thank you for considering my feature request. I appreciate the hard work your team puts into developing and maintaining the JFrog CLI.

Looking forward to your response.

Best regards, Manideep

sverdlov93 commented 1 year ago

Hi @Mandy4242, Thanks for reaching out! Currently, jf build tool commands such as jf docker/npm/pip/etc can't support specific credentials flags because we want to support forwarding the flags to the build tool. Also, we believe that running a config command (echo $TOKEN | jf c add --interactive=false --url="myplatform.jfrog.io" --access-token-stdin) is more secure because you can provide the secrets via stdin and encrypt the stored config.

Another solution I can propose is that you can run docker save -o yourimage.tar and then jf scan yourimage.tar. jf scan supports the requested flags so this can work for you. Having said that, we will reconsider our approach and see what can be done for jf docker scan to improve the experience.

Mandy4242 commented 1 year ago

jf c add will store the credentials in build machine but we don't want to store credentials in build machine. multiple teams will be using the build machine. we cannot share the credentials between the teams, so we are asking to provide --access-token-stdin flag for jf docker scan command.