Add JFrog Artifactory and Sonatype Nexus integrations documentation (#1970)

tdruez · web-flow · commit 0da9b4e21028 · 2025-12-01T08:54:31.000+04:00
* Add JFrog Artifactory integration documentation

Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;

* Add Sonatype Nexus integration documentation

Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;

---------

Signed-off-by: tdruez &lt;tdruez@aboutcode.org&gt;
diff --git a/docs/faq.rst b/docs/faq.rst
@@ -117,6 +117,13 @@ ScanCode.io supports **multiple input types** for your projects:
 - **Git Repository**: Clone a Git repository using its HTTPS URL.
   See :ref:`inputs_git_repository`.
 
+- **JFrog Artifactory**: Fetch artifacts from on-premise or cloud Artifactory
+  repositories.
+  See :ref:`inputs_artifactory`.
+
+- **Sonatype Nexus**: Fetch artifacts from Nexus Repository Manager instances.
+  See :ref:`inputs_nexus`.
+
 For complete details on all input methods, refer to the :ref:`inputs` documentation.
 
 What is the difference between scan_codebase and scan_single_package pipelines?
diff --git a/docs/inputs.rst b/docs/inputs.rst
@@ -220,3 +220,76 @@ for details on:
 - :ref:`HTTP request headers <scancodeio_settings_fetch_headers>` (e.g., for GitHub tokens)
 - :ref:`.netrc file <scancodeio_settings_netrc_location>`
 - :ref:`Docker private registries <scancodeio_settings_skopeo_credentials>`
+
+.. _inputs_artifactory:
+
+JFrog Artifactory
+-----------------
+
+ScanCode.io can fetch artifacts from **JFrog Artifactory** repositories using
+standard download URLs.
+
+The URL format follows Artifactory's REST API pattern::
+
+    https://<artifactory-host>/artifactory/<repo-key>/<artifact-path>
+
+Example::
+
+    https://mycompany.jfrog.io/artifactory/libs-release/org/apache/commons/commons-lang3/3.12.0/commons-lang3-3.12.0.jar
+
+For **authentication**, configure credentials in your ``.env`` file using one of
+these methods:
+
+Using Basic Authentication::
+
+    SCANCODEIO_FETCH_BASIC_AUTH="mycompany.jfrog.io=username,password"
+
+Using API Key (via headers)::
+
+    SCANCODEIO_FETCH_HEADERS="mycompany.jfrog.io=X-JFrog-Art-Api=<YOUR_API_KEY>"
+
+Using Access Token::
+
+    SCANCODEIO_FETCH_HEADERS="mycompany.jfrog.io=Authorization=Bearer <YOUR_TOKEN>"
+
+.. tip::
+    You can also use a :ref:`.netrc file <scancodeio_settings_netrc_location>` for
+    authentication if your organization already maintains one.
+
+.. _inputs_nexus:
+
+Sonatype Nexus
+--------------
+
+ScanCode.io can fetch artifacts from **Sonatype Nexus Repository** (versions 2 and 3)
+using standard download URLs.
+
+For **Nexus 3**, the URL format follows the repository path pattern::
+
+    https://<nexus-host>/repository/<repo-name>/<path-to-artifact>
+
+Example for a Maven artifact::
+
+    https://nexus.mycompany.com/repository/maven-central/ch/qos/logback/logback-core/1.4.0/logback-core-1.4.0.jar
+
+Example for a PyPI package::
+
+    https://nexus.mycompany.com/repository/pypi-proxy/packages/urllib3/1.26.7/urllib3-1.26.7-py2.py3-none-any.whl
+
+Example for an npm package::
+
+    https://nexus.mycompany.com/repository/npm-proxy/redis/-/redis-2.8.0.tgz
+
+For **authentication**, configure credentials in your ``.env`` file:
+
+Using Basic Authentication::
+
+    SCANCODEIO_FETCH_BASIC_AUTH="nexus.mycompany.com=username,password"
+
+Using a Bearer Token::
+
+    SCANCODEIO_FETCH_HEADERS="nexus.mycompany.com=Authorization=Bearer <YOUR_TOKEN>"
+
+.. tip::
+    You can also use a :ref:`.netrc file <scancodeio_settings_netrc_location>` for
+    authentication if your organization already maintains one.
