Frogbot is a Git bot that scans your pull requests and repositories for security vulnerabilities. You can scan pull requests when they are opened, and Git repositories following new commits. For more information on Frogbot refer here.
Frogbot supports below bot actions:
create-fix-pull-requests: Scan the current branch and create pull requests with fixes if needed
scan-pull-request: Scan a pull request with JFrog Xray for security vulnerabilities
scan-pull-requests: Scan multiple pull request with JFrog Xray for security vulnerabilities
scan-and-fix-repos: Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found
How to use Frogbot task?
Add below details to the step along with required integrations
task: $res_frogbot_gitrepo_resourcePath id: frogbot_test input: # JFrog platform access token integration name platformAccessTokenIntegration: "jfrogPlatform" # name of the resource used in pipeline resourceName: "gh_frogbot" # action to be done by frogbot botAction: "create-fix-pull-requests"
Action to be Performed by Frogbot
Frogbot supports below bot actions
- create-fix-pull-requests [Scan the current branch and create pull requests with fixes if needed.] - scan-pull-request [Scans a pull request with JFrog Xray for security vulnerabilities.] - scan-pull-requests [Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found.] - scan-and-fix-repos [Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found.]- task: jfrog/frogbot@v0.1.0 input: platformAccessTokenIntegration: "jfrogPlatform" resourceName: "gh_frogbot" botAction: "create-fix-pull-requests"
Integrations Used
Frogbot task uses JFrog Platform Access Token integration and git server integration like github, bitbucket etc. Refer here section to learn more on integrations. Below is the sample JFrog Platform Access token integration.
Frogbot Config
Frogbot uses configuration and expects ./frogbot/frogbot-config.yml file to be present to read repository name, branches to be configured, required commands to fetch binary used in your project refer here for more details about frogbot config. Below is the sample for frogbot-config.yml
.
- params: git: repoName: {RepositoryName} branches: - {Branches to scan} scan: projects: # depending package install command mandatory only for npm, yarn, nugget - installCommand: {"npm i" | "yarn install" | "nugget restore"}