Docker Desktop Extension for JFrog Xray
Shift-Left DevSecOps for Container Images
Benefits of Integration
- Reveal security vulnerabilities in local Docker images
- Shift security left to catch vulnerabilities before deployment
- Seamless integration with Docker Desktop
- Rich user interface in Docker Desktop
- Deep recursive Xray scanning reveals vulnerabilities
- Enriched remediation guidance from JFrog Security Research
- Connects to any JFrog Platform deployment, on-prem or cloud
- Supported with free JFrog cloud accounts as well as paid subscriptions
Overview
Securing your software supply chain requires proactively identifying security vulnerabilities early in the software development lifecycle. The JFrog Xray extension for Docker Desktop enables developers to initiate a deep Xray scan for vulnerabilities on any local Docker image conveniently through the Docker Desktop dashboard.
Docker Desktop is the central console application used by developers to build and share containerized applications and microservices on their local workstations, as well as to access the vast library of certified images and templates in Docker Hub.
JFrog Xray is the universal software composition analysis (SCA) solution that identifies open source software vulnerabilities before they manifest in production, enabling swift remediation. By performing deep-recursive scans on container images and the binaries they contain, Xray reveals vulnerabilities in all packages in the image, helping to make sure that delivered software meets standards of quality and safety.
The JFrog Xray extension for Docker Desktop connects securely to any self-managed or managed (SaaS) JFrog Platform deployment. From the convenience of the Docker Desktop dashboard, a developer or security team member can initiate a scan by Xray on any local Docker image, and reveal every vulnerability, its source, and severity.
Integration Features
The JFrog Xray extension integrates seamlessly with Docker Desktop, providing its own control panel in the Docker Desktop dashboard. A developer can select any Docker image on the local workstation, and initiate an Xray security scan of that image.
Once complete, the results of the Xray scan are shown in Docker Desktop. This includes a summary diagram, and a listing of every vulnerability found, sorted by severity, along with the package and its version.
Users can examine each vulnerability further, viewing details that include:
- An impact graph
- Detailed description of the vulnerability
- Guidance from JFrog Security Research on how best to mitigate or remediate the issue.
The JFrog Xray extension can be configured to securely connect to any JFrog Platform deployment, including a JFrog free cloud account.
Use Cases
- Shift Left Security – Developers can perform Xray scans of the Docker images they build, to discover and resolve security vulnerabilities at the earliest point in the development lifecycle, before they are shared or deployed.
- Open Source Curation – Security teams can download Docker images from Docker Hub or another registry to a local workstation and scan them with Xray for security review before approving for use by developers.
- Security Audits – Security teams can perform on-demand spot checks of any Docker image as part of a security audit.