Scarf FAQ | Common Questions About Scarf and Usage Analytics for Open Source

First, create an account on Scarf, if you haven’t already done so. Once you’ve registered, you’ll be prompted to create a new package. If you’re already using Scarf, you’ll be able to click “New Package” in the navigation bar. Scarf gateway currently supports two package types: Docker, and Files.

Hosting packages on your custom domain via Scarf has no impact on your existing users; your domain adds a new path for users to download your package. You can encourage end-users to switch their pull commands over to your new domain, but they can continue pulling directly from your registry provider with no negative impact.

Should you decide to switch registries later on, current users will have to update their pull commands to either your custom domain or to the new registry URL. If they go straight to the registry, they would need to update every time you decide to switch registries. If they use your custom domain, they will never need to update it again.

Generally, no. Your package continues to be hosted on your current registry. Scarf Gateway is simply a thin layer on top. Since the gateway acts as a static entry point to your containers, you will always have the freedom to host your container on any registry you choose.

For enterprise customers, Scarf Gateway can cache your artifacts to improve global performance and even keep your artifacts online in the event of an outage from your origin hosting provider. Contact sales@scarf.sh to learn more.

No. Scarf Gateway does not store any personally identifiable information.

Scarf looks up IP address metadata, but the raw IP addresses are discarded and never exposed. IP metadata may contain:

• Coarse-grained location
• Company information, cloud providers, etc.

Additionally, Scarf sees metadata about the client and artifacts being downloaded such as:

• Container tags/versions
• Client container runtime information
• Basic device/OS information

Scarf Gateway is one of several tools that comprise our Platform. Scarf Gateway is an open source proxy & redirect server that sits in front of traffic to your artifacts, API endpoints, telemetry, and beyond. Our platform offers a fully managed Scarf Gateway service that includes globally distributed infrastructure with redundancy, strong data privacy guarantees, SOC2-grade security, and a robust analytics engine to drive insights from the traffic to your assets.

Scarf Gateway is free to use! To gain access to additional features like our developer API, raw data export, integrations, availability & support SLA's contact our sales team.

Scarf Gateway is managed by the Scarf team. We plan an open-source release of the Gateway for self-hosting when it's out of beta and into general availability.

First results for your data on new packages can 1-2 days, currently. Analytics are processed asynchronously, so if your download through Scarf Gateway ran successfully, your data will get processed. While our system usually delivers data to your dashboard with a lag of about 30-60 minutes, we have recently been experiencing traffic spikes that are requiring further optimizations in our data pipeline. We aim for same-hour data delivery.

We’d love your input to help us prioritize support for additional package types. Java, Apt, RPM, and others are planned.

You copy an <img> tag from Scarf into your project’s README, docs, or any other web property, and any time a user loads the image from us, Scarf will look up any business metadata associated with the address and surface that information to you (and only you) via your free Scarf account. Scarf does not store the IP address itself, so no personally identifying information is collected.

Head to your Scarf dashboard and locate the Documentation Insights Management section. Give your pixel(s) a name, and optionally attach it to a package you manage on Scarf. Click the "copy" button to copy the <img> tag to your clipboard, and then paste the tag into your project's README, docs, and any other web properties where you want to gather insights into who is using your documentation pages.

First step: Sign up for a free Scarf account to create a package entry on Scarf. Select "npm" as your package type. Once created, add a dependency on this library to your own:

Once your library is published to npm with this change, Scarf will automatically collect stats on install, with no additional code is required. You’ll find package analytics displayed on your Scarf dashboard.

• Data insights about your user base
• A view into which companies and organizations are using your package
• Insights into the growth of your project, including information about locales and platforms where users are active.
• Information about which versions of your package are in use.

Scarf does not store any personally identifiable information (PII) from SDK telemetry data. Scarf collects information that’s helpful for:

• Package maintenance.
• Identifying which companies are using a particular package, in order to enable communication and support agreements between developers and commercial entities. Specifically, scarf-js sends:
• The operating system in use when the package is downloaded.
• The end user’s IP address is used to look up available company information. Scarf does not store the IP address.
• Limited dependency tree information. Scarf sends the name and version of the package(s) that directly depend on scarf-js.
• Additionally, scarf-js sends SHA256-hashed name and version for packages in the dependency tree that meet these requirements:
• It depends on a package that depends on scarf-js.
• Scarf also shares the root package of the dependency tree. In this way, we provide maintainers with information about the public packages using their code, without exposing identifying details of non-public packages.

Our privacy-preserving telemetry provides data insights that enable maintainers to understand the needs of their end users, so we appreciate your opt-in. However, we understand that you may want to opt out for a variety of reasons, so we've built multiple ways to opt out. You can opt out via your configuration in your project's package.json or via environment variable. See our documentation for more details about how to opt out.

How does Scarf ensure the contact information generated from open-source software downloads are high-quality and relevant to the business if no personally identifiable information is used?

Scarf offers bespoke lead generation services that are tailored to the unique needs of your business. Scarf is able to use data including:

• The companies surfaced in your data and the organizations usage patterns
• Geographic information behind captured events
• Your ideal customer profile
• 3rd party firmographic information

to ensure generated contact is accurate and corresponds to high-intend leads.

Scarf can surface new companies as they start interacting with your OSS for the very first time. From the moment they first visit your landing page or docs, or download one of your artifacts, Scarf ensures the traffic can be captured, IP address and other request information enriched, and safely anonymized.

Scarf works with a variety of data partners to ensure we offer state-of-the-art IP → Company matching capabilities. This is able to detect when connections are tied to a company, whether they are at a corporate office or working from home. It notably is not effective at things like identifying if the activity was taking place for a work task vs a personal task, however, with enough data over time, Scarf will be able to show usage trends across the entire company, which can help smooth out anomalies like personal use on a corporate internet connection.

Scarf identifies users by enriching data from multiple sources. In some cases, we can go beyond the cloud provider (e.g., AWS) to provide more detail. For example, if the cloud IP is being used for a corporate VPN or other egress activity, our data sources might detect user activity. Additionally, some static IPs may be linked to specific organizations over time if their site is deployed on a cloud provider.

If we are unable to enrich the event beyond the cloud provider, we would mark it as a hosting service, such as endpoint_type=hosting and company=Amazon Web Services (or the relevant provider). No further company details would be available.

Scarf collects a wide variety of information including:

• Company or organization, whether it’s a business, hosting provider, school, government institution.
• Unique user counts across the organization
• Version
• Platform / host device
• Course location
• What page was visited
• Attribution
• Any custom fields you choose to explicitly track

All of this information can help businesses understand adoption at the individual organization level as well as aggregated across segments and the entire user base, which can drive decision making when it comes to strategy, positioning, or tactical prioritization of your pipeline.

Integrations with Scarf can take as little as 5 minutes or can be more involved depending on the nature of the integration. Typically, this can include any combination of the following:

• Embedding Scarf pixels in your documentation and web properties
• Putting your downloadable artificats behind Scarf Gateway, and updating install instructions, scripts, Docker Compose files, helm charts, etc to download artifacts through Scarf.
• Adding dependencies like scarf-js to your npm library to automatically add post-install telemetry
• Using Scarf’s web API to send events from your software or batch import events collected from elsewhere.

Scarf purges personally identifiable information immediately after metadata lookup, ensuring that no sensitive data is stored. Scarf is a GDPR-compliant data processor, and is currently undergoing SOC2 certification.

Yes! Take a look at our case studies.

See our pricing plans, and don’t hesitate to get in touch with us with any questions.

Support and SLAs are available on paid plans. We offer a 99.9% uptime SLA, as well as various levels of support, and up to 4-business-hour response times.