Run the JFrog CLI Command for Dependency Scans

JFrog Security Documentation

ft:sourceType
Paligo

This topic describes how to run the JFrog CLI commands as part of Dependency scans as described in Xray Dependencies Scan.

Supported commands in the JFrog CLI: (links to the section in cli)

  • Auditing an Npm Project: The audit-npm command audits an npm project, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Maven Projects: The audit-mvn command audits Maven projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Gradle Projects: The audit-gradle command audits Gradle projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Pip Projects: The The audit-pip command audits Pip projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

  • Auditing Go Projects: The audit-go command audits Go projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.

Run the scan command with the relevant command options. You can view scan results for the following:

  • Vulnerabilities

  • Violations

  • Licenses

By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:

  • Watches - Select Watches to apply to the scan.

  • Repo Path- Provide a target destination path in Artifactory, and Watches will be determined by the path.

  • Project- Select a Project by project key, and use all Watches defined for the Project.

Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options.