Frogbot 0.0.3

JFrog Pipelines Documentation

Products
JFrog Pipelines
Content Type
User Guide
ft:sourceType
Paligo

Frogbot is a Git bot that scans your pull requests and repositories for security vulnerabilities. You can scan pull requests when they are opened, and Git repositories following new commits. For more information on Frogbot refer here.

Frogbot supports below bot actions:

  • create-fix-pull-requests: Scan the current branch and create pull requests with fixes if needed

  • scan-pull-request: Scan a pull request with JFrog Xray for security vulnerabilities

  • scan-pull-requests: Scan multiple pull request with JFrog Xray for security vulnerabilities

  • scan-and-fix-repos: Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found

How to use Frogbot task?

Add below details to the step along with required integrations

task: $res_frogbot_gitrepo_resourcePath
id: frogbot_test
input:
    # JFrog platform access token integration name
    platformAccessTokenIntegration: "jfrogPlatform"
    # name of the resource used in pipeline
    resourceName: "gh_frogbot"
    # action to be done by frogbot
    botAction: "create-fix-pull-requests"

Action to be Performed by Frogbot

Frogbot supports below bot actions

- create-fix-pull-requests [Scan the current branch and create pull requests with fixes if needed.]
- scan-pull-request [Scans a pull request with JFrog Xray for security vulnerabilities.]
- scan-pull-requests [Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found.]
- scan-and-fix-repos [Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found.]- task: jfrog/frogbot@v0.1.0
  input:
    platformAccessTokenIntegration: "jfrogPlatform"
    resourceName: "gh_frogbot"
    botAction: "create-fix-pull-requests" 

Integrations Used

Frogbot task uses JFrog Platform Access Token integration and git server integration like github, bitbucket etc. Refer here section to learn more on integrations. Below is the sample JFrog Platform Access token integration.

Frogbot Config

Frogbot uses configuration and expects ./frogbot/frogbot-config.yml file to be present to read repository name, branches to be configured, required commands to fetch binary used in your project refer here for more details about frogbot config. Below is the sample for frogbot-config.yml.

- params:
  git:
    repoName: {RepositoryName}
    branches:
      - {Branches to scan}
    scan:
      projects:
        # depending package install command mandatory only for npm, yarn, nugget
        - installCommand: {"npm i" | "yarn install" | "nugget restore"}