Subscription Information
This feature is supported on the Cloud (SaaS) platform with an Enterprise X or Enterprise+ license, and on the Self-Hosted platform with a Pro X, Enterprise X , or Enterprise+ license.
JFrog Xray is a universal software composition analysis (SCA) solution that natively integrates with Artifactory, giving developers and DevSecOps teams an easy way to proactively identify vulnerabilities on open source and license compliance violations, before they manifest in production releases.
Xray currently supports the following package formats with new formats added regularly.
Package | Extensions | Description |
---|---|---|
Go | None | Xray scans and indexes your Go Registries, Go Modules and Go packages including recursive analysis, component graph integration and providing detailed metadata information. |
Conda | conda | Xray scans Conda packages that contain python packages and their dependencies for security vulnerabilities, license compliance and operational risk. |
PHP | All archive types | Xray recursively scans your PHP Composer packages in your registries, Zip files or Docker/OCI Containers whether they are local or remote. Xray also checks for any dependencies in your PHP builds. |
Maven | jar,war,ear,nupkg,sar,har,hpi,cpa,jpi, all archive types | Scan your Maven project dependencies using Xray and view vulnerabilities directly from within the IntelliJ IDE, with the JFrog IntelliJ Maven Plugin. |
Bower | All archive types | Xray scans your Bower packages and performs impact analysis to keeps all components in your organization safe from any violations. |
Gradle | jar,war,ear,nupkg,sar,har,hpi,cpa,jpi, all archive types | Recursively scan the different layers of your Gradle packages and their dependencies, and use Xray's component graph to display the impact of any detected issues on your services and applications. |
Ivy | jar,war,ear,nupkg,sar,har,hpi,cpa,jpi, all archive types | Xray scans your Ivy packages and performs impact analysis to keeps all components in your organization safe from any violations. |
SBT | jar,war,ear,nupkg,sar,har,hpi,cpa,jpi, all archive types | Recursively scan your SBT packages and identify all components in your organization that are affected by a vulnerability, and monitor components for new issues and vulnerabilities that are detected. |
npm | All archive types | Xray identifies each Javascript file within your npm packages and performs matching and analysis on each one to ensure that your npm application is safe to use. |
NuGet | nupkg, all archive types | Xray scans NuGet packages, recursively going through the layers of dependencies to discover issues and vulnerabilities at any depth. |
PyPI | whl,egg, all archive types | Xray recursively opens the different layers of your Python packages and their dependencies, discovering any issues and vulnerabilities that may affect your organization. |
Docker | Not identified by extension | Xray identifies every component contained within every layer of your Docker images. This includes identifying the packages deployed on the OS in the base image layer. |
OCI | Not identified by extension | Xray identifies every component contained within every layer of your OCI images. This includes identifying the packages deployed on the OS in the base image layer. Helm charts and WASM as OCI artifacts are not supported. |
Debian | deb | Xray identifies the Debian packages deployed on your Debian or Ubuntu OS that’s running on the base layer of your Docker or OCI containers. Each component is scanned for issues and vulnerabilities giving you maximum visibility into your software dependencies. |
RPM | rpm | Xray identifies the RPM packages deployed on your RedHat or CentOS OS that’s running on the base layer of your Docker or OCI containers. Each component is scanned for issues and vulnerabilities giving you maximum visibility into your software dependencies. |
RubyGems | gem | Xray provides transparency into your software architecture, recursively scanning RubyGems packages through all levels of dependency to discover issues and vulnerabilities. |
Alpine | apk | Xray scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information. |
Conan | conanmanifest.txt | Xray scans Conan Packages and Conan Builds for issues and vulnerabilities. Xray identifies these issues in the |
Cargo | crate | Xray scans Rust Cargo packages. Xray supports SCA for Rust binary ELF files (compiled with cargo-auditable) providing their SBOM including licenses and vulnerabilities. When in Docker or OCI containers, Rust binaries can also be scanned for contextual analysis. |
CRAN | All archive types | Xray scans CRAN packages (R packages) to detect security vulnerabilities, ensure license compliance, and evaluate operational risks. |
Hugging Face ML | Not identified by extension | Xray supports SCA for Hugging Face ML models, detects their license, and if the model is identified as malicious (shown as “Malicious Packages”). Malicious model detection covers the models that are susceptible to deserialization attack: Keras H5, Paddle, PyTorch, Pickle, Numpy, JobLib, Dill, TensorFlow SavedModel, Zip-based models (ex. MLeap). |
Terraform state | Not identified by extension | Applicable only with JFrog Advanced Security. JFrog Advanced Security scans Terraform state in the Artifactory Terraform BE repository for Cloud services configuration issues (see JFrog Advanced Security: Exposure Scanning Categories). |
Chainguard Images | Not identified by extension | Xray supports Chainguard image scanning for SBOM and SCA |
CycloneDX SBOM | cdx.json, cdx.xml | Xray scans CycloneDX SBOM files in JSON and XML formats. Once an SBOM file is scanned, Xray will populate the artifact's SBOM and Vulnerabilities according to the components specified in the SBOM file |
Machine Learning Model | bin, ckpt, dill, flax, ggml, gguf, h5, hdf5, joblib, keras, mpk, msgpack, nemo, npy, npz, onnx, pb, pdparams, pkl, pt, pth, safetensors, tflite, zip | In Docker and Generic repositories, Xray identifies any ML Model binaries of the following formats - Flax, GGML, GGUF, Joblib, Keras H5, NeMo, NumPy Archive, NumPy Array, ONNX, PaddlePaddle, Pickle / Dill, PyTorch Archive, PyTorch state_dict, Safetensors, SavedModel, TFLite |
CocoaPods | podspec | Xray scans CocoaPods packages (that contain a Podspec file) to detect security vulnerabilities, ensure license compliance, and evaluate operational risks. |
Type | Supported |
---|---|
Supported Archive Types | 7zip, Zip, TAR, VMDK, OVA, CPIO, ISO, RAR, AAR |
Supported Compression Types | gz, xz, bz2, zstd, lzma |