@@ -163,61 +163,63 @@ attestations using `regctl`. You must [install
1631631 . Set environment variables for your specific environment. Replace the
164164 placeholders with your actual values.
165165
166+ In this example, you use a Docker username to represent a member of the Docker
167+ Hub organization that the DHI repositories are mirrored in. Prepare a
168+ [ personal access token (PAT)] ( ../../security/access-tokens.md ) for the user
169+ with ` read only ` access. Alternatively, you can use an organization namespace and
170+ an [ organization access token
171+ (OAT)] ( ../../enterprise/security/access-tokens.md ) to sign in to Docker Hub, but OATs
172+ are not yet supported for ` registry.scout.docker.com ` .
173+
166174 ``` console
167175 $ export DOCKER_USERNAME="YOUR_DOCKER_USERNAME"
168176 $ export DOCKER_PAT="YOUR_DOCKER_PAT"
177+ $ export DOCKER_ORG="YOUR_DOCKER_ORG"
169178 $ export DEST_REG="registry.example.com"
170179 $ export DEST_REPO="mirror/dhi-python"
171- $ export SRC_REPO="docker.io/<your-org>/dhi-python"
172- $ export SRC_TAG="3.13-alpine3.21"
180+ $ export DEST_REG_USERNAME="YOUR_DESTINATION_REGISTRY_USERNAME"
181+ $ export DEST_REG_TOKEN="YOUR_DESTINATION_REGISTRY_TOKEN"
182+ $ export SRC_REPO="docker.io/${DOCKER_ORG}/dhi-python"
183+ $ export SRC_ATT_REPO="registry.scout.docker.com/${DOCKER_ORG}/dhi-python"
184+ $ export TAG="3.13-alpine3.21"
173185 ```
174186
1751872 . Sign in via ` regctl ` to Docker Hub, the Scout registry that contains
176188 the attestations, and your destination registry.
177189
178190 ``` console
179- $ regctl registry login -u "$DOCKER_USERNAME" --pass-stdin docker.io
180- $ regctl registry login -u "$DOCKER_USERNAME" --pass-stdin registry.scout.docker.com
181- $ regctl registry login "$ DEST_REG
191+ $ echo $DOCKER_PAT | regctl registry login -u "$DOCKER_USERNAME" --pass-stdin docker.io
192+ $ echo $DOCKER_PAT | regctl registry login -u "$DOCKER_USERNAME" --pass-stdin registry.scout.docker.com
193+ $ echo $DEST_REG_TOKEN | regctl registry login -u "$DEST_REG_USERNAME" --pass-stdin "$ DEST_REG"
182194 ```
183195
184- 3 . Mirror the image by digest from Docker Hub to your destination registry.
185-
186- First, get a digest for a specific tag and platform. For example, ` linux/amd64 ` .
196+ 3 . Mirror the image and attestations using ` --referrers ` and referrer endpoints:
187197
188198 ``` console
189- DIGEST="$(regctl manifest head "${SRC_REPO}:${SRC_TAG}" --platform linux/amd64)"
199+ $ regctl image copy \
200+ "${SRC_REPO}:${TAG}" \
201+ "${DEST_REG}/${DEST_REPO}:${TAG}" \
202+ --referrers \
203+ --referrers-src "${SRC_ATT_REPO}" \
204+ --referrers-tgt "${DEST_REG}/${DEST_REPO}" \
205+ --force-recursive
190206 ```
191207
192- Then, copy the image by digest to ensure you get the exact same image.
193-
194- ``` console
195- regctl image copy \
196- "${SRC_REPO}@${DIGEST}" \
197- "${DEST_REG}/${DEST_REPO}@${DIGEST}"
198- ```
208+ 4 . Verify that artifacts were preserved.
199209
200- 4 . Mirror the attestations from the Scout registry to your target registry using
201- ` --referrers ` and referrer endpoints:
210+ First, get a digest for a specific tag and platform. For example, ` linux/amd64 ` .
202211
203212 ``` console
204- $ regctl image copy \
205- --referrers \
206- --referrers-src "registry.scout.docker.com/<your-org>/dhi-python" \
207- --referrers-tgt "${DEST_REG}/${DEST_REPO}" \
208- "registry.scout.docker.com/<your-org>/dhi-python@${DIGEST}" \
209- "${DEST_REG}/${DEST_REPO}@${DIGEST}"
213+ DIGEST="$(regctl manifest head "${DEST_REG}/${DEST_REPO}:${TAG}" --platform linux/amd64)"
210214 ```
211215
212- 5 . Verify that artifacts were preserved.
213-
214216 List attached artifacts (SBOM, provenance, VEX, vulnerability reports).
215217
216218 ``` console
217219 $ regctl artifact list "${DEST_REG}/${DEST_REPO}@${DIGEST}"
218220 ```
219221
220- If you use Docker Scout:
222+ Or, list attached artifacts with ` docker scout ` .
221223
222224 ``` console
223225 $ docker scout attest list "registry://${DEST_REG}/${DEST_REPO}@${DIGEST}"
0 commit comments