RunReveal
SourcesSource Types

Docker Hub Audit Log Ingestion via API Polling

This guide explains how to configure RunReveal to poll Docker Hub audit log events (e.g., repository tag pushes, organization member changes, SSO configuration, team management, billing updates) using the Docker Hub API.

Prerequisites

  • Docker Business or Team subscription Audit logs are available on Docker Team and Business plans.
  • Docker Hub Personal Access Token (PAT) A PAT with sufficient permissions to read audit logs for your organization.
  • RunReveal account with permissions to add sources (admin/editor)

Step 1: Create a Docker Hub Personal Access Token

  1. Log in to Docker Hub
  2. Navigate to Account Settings > Personal access tokens
  3. Click Generate new token
  4. Give it a descriptive name (e.g., "RunReveal Audit Logs")
  5. Select Read-only access scope
  6. Click Generate and copy the token immediately

Copy the token immediately after creation. It will not be shown again.

Step 2: Find Your Organization Name

Your organization name is the namespace used in Docker Hub. You can find it by:

  1. Log in to Docker Hub
  2. Navigate to Organizations
  3. Your organization name is displayed in the URL and organization list (e.g., mycompany)

You can verify your organization name and audit log access with:

# First, get a bearer token
TOKEN=$(curl -s https://hub.docker.com/v2/auth/token \
  -H 'Content-Type: application/json' \
  -d '{"identifier":"YOUR_USERNAME","secret":"YOUR_PAT"}' \
  | jq -r '.access_token')
 
# Then query audit logs
curl -s "https://hub.docker.com/v2/auditlogs/YOUR_ORG_NAME?page_size=5" \
  -H "Authorization: Bearer $TOKEN" | jq .

Step 3: Create Docker Hub Source in RunReveal

  1. Navigate to Sources in RunReveal
  2. Look for the Docker Hub source tile
  3. Provide a descriptive Source Name (e.g., "Docker Hub Audit Logs")
  4. Enter your Organization name
  5. Enter your Username and Personal Access Token
  6. Save the source

Step 4: Validate Data Collection

  1. Return to RunReveal and open your Docker Hub source page
  2. Confirm that events are being collected (initial polling may take up to 5 minutes)
  3. Search in Explorer or use Native AI Chat to inspect recent Docker Hub audit events

RunReveal polls for new Docker Hub audit events every 5 minutes. Docker Hub retains audit log data for 90 days.

Event Types

Docker Hub audit logs capture a wide range of events across several categories:

  • Repository events: tag pushes, repository creation/deletion, visibility changes
  • Organization events: member add/remove, role changes, team management, settings updates
  • Billing events: plan upgrades/downgrades, seat changes, billing cycle updates
  • SSO/Enterprise events: SSO connection create/update/delete, SCIM configuration, domain management
  • Access token events: token creation, updates, deletion for org and personal tokens
  • Registry Access Management: enabling/disabling registry access, adding/removing registries

Previous

DNSFilter

Next

Dope Security

On this page