Hi all,

my company is running Docker Desktop 4.13 with a full-paid Docker business subscription. We also have a XRay server and now want to work with this cool extensions here :)

What I have done now:

1. I created an Identity Token with my XRay account
   

2. I provided the XRay server URL together with this identity token for the initial setup. I am receiving following response:
   

3. Meanwhile I have pulled some Docker images

4. I want to scan some of these local images and always received following 401 error response
   

Could you help me with this issue. I am not sure where to find logs etc.

Execute all JFrog CLI commands in the extension with the following environment variable:
CI=true
Make sure to add it to all JFrog CLI calls for Windows and Unix.

I have installed this extenstion, but when I click on it to use it, the screen appears blank:

I have tried restarting Docker, restarting my computer. Still pops up blank.

I am on Docker version v4.19.0

Any help is greatly appreciated, thank you!

After canceling a scan or a setup process, it'll be best to close the CLI processes.
That's how to do it:
https://docs.docker.com/desktop/extensions-sdk/dev/api/reference/interfaces/ExecProcess/

In some places in the extension, unclear errors are thrown from other libraries, and they are passed to the user:

1. When filling a password with non-Latin characters (i.e. Hebrew letters) the error below is thrown:

error while login:InvalidCharacterError: Failed to execute 'btoa' on 'Window': The string to be encoded contains characters outside of the Latin1 range.

Containing non-Latin characters should not be allowed, but the error is not clear and is a little intimidating.

2. When there's no internet connection and trying to log in.

These errors are unclear and also a little intimidating.
They'd better be replaced.

The Docker Desktop JFrog Extension does not work properly on Windows 10 machines. Image scans seem to be missing most or all vulnerabilities.

This problem can be demonstrated by Scanning the nginx:1.23.1 image, which is publicly available from DockerHub.

Using Artifactory 7.41.6 and Xray 3.52.4, when we scan the image nginx:1.23.1 using the "All Vulnerabilities" scanning policy, we get the following scan results.

The count of "critical" "high" "medium" and "low" vulnerabilities matches the counts when we generate a report for each severity level for this specific image (note in the screenshot above, the count by severity is organized from top to bottom critical to low while in the screenshot below the count is organized top to bottom low to critical).

When scanning from Windows 10 with the same settings, however, there are no vulnerabilities found at all.

I tried using the "Watches" scanning policy instead, however this resulted in the Image scan simply failing.

When i try to login to the jfrog extension on Docker Desktop i get the message 'C:\User{username} is not recognised as an internal or external command, operable program or batch file'. This happens whether i am using a basic using my username and password for Jfrog or when i obtain an access token from JFrog and use the access token. Is there a bug in the extension? or is it something i am doing wrong

Add the option to export the scan results into a file (i.e. CSV).

Validate if the watches or project filled by the user is valid and exists when he saves the settings.
It'll be even better to add auto-complete to these fields.

We need to add UT to the API functions, and maybe also in other places in our code.

I am able to run jf docker scan on command line, docker desktop seems to run fine as I'm able to run many other containers, etc.

However, using Docker Desktop with JFrog extension I am getting the following error:

09:37:38 [Error] failed running command ... with error: exec: "docker": executable file not found in $PATH

Yet, docker runs on my command line find and the path to it is included in my $PATH variable.

macOS Ventura 13.3.1
Apple M2 Max
Docker Desktop v4.19.0
JFrog extension v1.2.1
Xray Version: 3.73.5
CLI Version: 2.25.1

1. We need to let the user know, after he finishes the setup process, that he needs to confirm his email address, otherwise his environment will be closed.
   If there's an API that can let us know if the user didn't do so already, it'd be best to add a notice for him about that when he enters the extension.

2. When the user is at the "Completing the setup" stage, the "Back" button should be disabled.

When I scan an image using JFrog Xray Scan in Docker Desktop I get these error banners:

When checking the logs I have this:

11:05:49 [Info] Creating image archive...
11:05:49 [Error] failed running command: 'docker save bridgecrew/checkov:latest -o /var/folders/1z/18hkqblx4gj8cw08xkpnfw180000gq/T/jfrog.cli.temp.-1684631149-3754232923/image.tar' with error: exec: "docker": executable file not found in $PATH - 

The output of

which -a docker
# Output
/usr/local/bin/docker

I'm using
OS: MacOS Ventura 13.3.1

From JFrog Docker extension settings
Xray: 3.73.8
CLI: 2.25.1

On the settings page, if the user changes the URL or username and leaves the password and access token empty then these changes are ignored with no error.
We need to allow editing the URL and username without entering the password or access token.

Instead of popping an alert in case of scan error, use Docker Desktop API to show an error notification.
Read more here: https://docs.docker.com/desktop/extensions-sdk/dev/api/dashboard/
This API is already used in the settings and welcome pages.
It's highly recommended to do this issue after resolving issue #56, because showing the current log errors in a notification will look even worse than it looks now.

Save the logs of the extension to a file in a logs directory inside the .jfrog-docker-desktop-extension directory.
The JFrog CLI logs need to be included in these logs (they're not saved now at all, because it's not executed in a terminal).

Add an about page with the current version of Xray and JFrog CLI.
This page can also include links to the logs directory and to our GitHub repository.

getting the following when using this extension with my docker desktop:

13:41:33 [Error] failed running command: 'docker save hopeful3:latest -o /var/folders/d_/vn18_5mn0wzdw0x4c1cp2sqm0000gn/T/jfrog.cli.temp.-1694457692-1934035051/image.tar' with error: exec: "docker": executable file not found in $PATH -

Not sure what is going on here, but it would be REALLY NICE if you had an override in the extension which would let you set the path for docker. As it stands,I spent two hours trying to figure out how to work around this without luck.

• Fill the password and access token fields in the settings page with asterisks or add a placeholder so that they won't look empty.
• Add a placeholder to the URL field in the settings and welcome pages. The placeholder will contain an example of a URL, like "https://acme.jfrog.io". Such a thing exists in the IDEA plugin.
• Allow pressing enter to log in, at the welcome page.
• Add an explanation about the scanning policies on the settings page (maybe add an "i" button).
• If JFrog CLI is installed on the machine and its configurations are imported to the extension, show a notification about that.
• After clicking the save/login button, disable all controllers on the page.
• Add a "Test connection" button on the settings page.

• The look of the spinner while the scanning is in progress, makes it feel like the user can run multiple scans in parallel. The user also gets the feeling that the process might be stuck. Adding a progress bar (not necessarily an accurate one) or showing the current stage in the scanning process was suggested.
• Show more than one impact path in each vulnerability (if exist). In Xray UI, there's a drop-down list of the impact paths to choose which of them to view.
• Show JFrog Research information. We already get it from Xray, but we need to add it to the results' view.
• Add a header below the "JFrog Xray" title. It's meant to help users understand what the extension does. It can be found in other extensions too.
• Avoid clearing the results when moving from the scan page to another page and then returning to the scan page. Users don't always expect that, and then they need to run the scan again.

We need to add a CI/CD process that'll run the tests, and build and push new versions automatically.

When importing credentials from the host's JFrog CLI (on the extension's first run), the extension doesn't validate the credentials and doesn't check if it has sufficient permissions.
It might cause some users, who don't have permissions for running scans, to skip the welcome page and get an error only after running their first scan.

I cannot use this useful Extension in our company network as it fails to connect to our cloud instance of X-Ray. As I cannot configure a proxy server within the settings of this extension, there seems to be no way to get it running behind an internet proxy.

Add a video or an animated overview of the extension's features on the first run of the extension.