Frogbot is a Git bot that scans your pull requests and repositories for security vulnerabilities. You can scan pull requests when they are opened, and Git repositories following new commits. This task allows you to embed Frogbot in your Pipelines Steps. Click here for more information about Frogbot.
Frogbot supports below bot actions:
create-fix-pull-requests: Scan the current branch and create pull requests with fixes if needed
scan-pull-request: Scan a pull request with JFrog Xray for security vulnerabilities
scan-pull-requests: Scan multiple pull request with JFrog Xray for security vulnerabilities
scan-and-fix-repos: Scan single or multiple repositories and create pull requests with fixes if any security vulnerabilities are found
Prerequisites
Frogbot task uses JFrog Platform Access Token integration and Git server integration like GitGub, Bitbucket etc. Refer to this section to learn more about integrations.
Usage
Basic:
- task: jfrog/frogbot@v0.1.0 input: platformAccessTokenIntegration: "jfrogPlatform" resourceName: "gh_frogbot" botAction: "create-fix-pull-requests"
Input Variables
Name | Required | Default | Description |
---|---|---|---|
platformAccessTokenIntegration | true | Name of the JFrog platform access token integration. | |
resourceName | true |
| Resource name to be scanned by Frogbot. |
botAction | true |
| Action to be performed by Frogbot. |
Output Variables
None
Exported Environment Variables
None
How does it work?
This task downloads the Frogbot binary from the official release source and runs the specified action at the root of the resource.
Frogbot uses configuration and expects ./frogbot/frogbot-config.yml
file to be present to read repository name, branches to be configured, required commands to fetch binary used in your Project. Refer here for more details about Frogbot config. Below is a sample for frogbot-config.yml.
- params: git: repoName: {RepositoryName} branches: - {Branches to scan} scan: projects: # depending package install command mandatory only for npm, yarn, nugget - installCommand: {"npm i" | "yarn install" | "nugget restore"}
License
This project is licensed under Apache 2.0 license.