JFrog offers an end-to-end Docker security scanning solution covering the full lifecycle of your Docker images to manage development, vulnerability analysis, license compliance, artifact flow control, and distribution.
JFrog Xray has access to the wealth of metadata Artifactory stores. Combined with deep recursive scanning, it puts Xray in a unique position to analyze the relationships between the different layers in your Docker Image. It also provides radical transparency into your component architecture to reveal the impact that an issue in one component has on any other.
How does Xray scan your Docker images?
Xray runs a recursive scan of all of the layers in your container, validating all of the information from the manifest.json file located in JFrog Artifactory. Following this scan, you can see a list of any violations found in the Docker images.
Since Xray shows you all the Docker images that contain the infected artifact, you can instantly understand the impact that any vulnerable layer has on all Docker images in your system. For example, when analyzing a Docker image, if Xray finds that it contains a Java application it will also analyze all the .jar files used in this application.
But, Xray does not stop at your Docker image base layer. It recursively peels away the different layers and their dependencies ensuring that every software artifact that is included in your Docker image has been scanned for issues and vulnerabilities.
You can then proceed to drill down or zoom out within your entire components graph and identify the real impact of every violation found. This can help you reduce the cost, time, and risk of delivering changes by allowing for more incremental updates to applications in production.
Xray protects you from license violations
Get this! Your Operating System packages are also scanned. This is quite unique to Xray and crucial as this is where the majority of vulnerabilities and licensing issues are found.
Xray catches license changes introduced in releases by continuously scanning your entire dependency graph during your builds. If a license change occurs, you can set the CI pipeline promotion to fail and then decide upon the action to take.
Xray takes you a step further and lets you generate license compliance reports for all your software at a click of a button.
With all these advantages, why wouldn’t you try Xray? Plus, it’s now available in on the cloud for you to use in a pure Cloud model.
Try Xray today and see how it can protect you!