Using GitHub Actions pipelines, you can scan binaries for SCA issues, such as vulnerable dependencies, malicious packages, and license or operational risks, before uploading them to Artifactory. For Docker images, Contextual Analysis and Secrets Detection JFrog Advanced Security scanners are also activated. Scan summaries appear in the Job Summary, while detailed results are available in the GitHub Action logs and under the On Demand Scanning section in the JFrog platform.
Example Usage
- name: Docker Build 🐳🐸
run: |
jf docker build . -t ${{ vars.JF_URL }}/${{ vars.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{github.run_number}}
- name: JFrog docker image scan 🐳🐸
run: |
jf docker scan ${{ vars.JF_URL }}/${{ vars.DOCKER_REPO }}/${{ env.IMAGE_NAME }}:${{github.run_number}}
- name: Docker Push 🐳🐸
run: |
jf docker push ${{ vars.JF_URL }}/${{ vars.DOCKER_REPO }}/${{ env.IMAGE_NAME }:${{github.run_number}}
To learn more, refer to the Build Workflow.
On-Demand Scanning
To view On-Demand Scanning results, follow these steps:
From the Application Module, click Xray, and then click On-Demand Scanning.
From the On-Demand Scanning list, click the file you want to view.
To learn more, refer to On Demand Scanning documentation.