Software Composition Analysis

JFrog Security Documentation



JFrog Xray scans your artifacts, builds and Release Bundles for OSS components being used, and detects security vulnerabilities and licenses in your software components. The results of this scan are then displayed across the JFrog Platform.

Before you begin

Before you begin, ensure JFrog Xray is installed and you have configured indexing in the Administration module. For more information, see Configuring Xray.Installing Xray

How Does Xray Scan Your Artifacts?

  1. Xray is populated with vulnerability data: Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis. To learn more about Xray security and severity levels, see Determining the Issue Severity Level for Operating Systems Packages

  2. Indexes resources: Performs deep indexing of artifacts, builds and Release Bundles, recursively going through dependencies at any level and creates a graph of relationships between software components. For example, when analyzing a Docker image, if Xray finds that it contains a Java application, it will also analyse all the .jar files used in this application.

  3. Scans resources: Scans packages, builds, artifacts and Release Bundles that have been set to be scanned in the Indexing Resources in the Administration module to match vulnerabilities and licenses for each OSS component in the scanned resource.

  4. Processes assigned Policies based on the predefined Watches: Xray provides an enhanced Policy and Watch mechanism for defining and enforcing governance standards on your binaries, bringing additional security and compliance to your software dependencies.

  5. Performs ongoing Impact Analysis: When a new vulnerability or license is added to the Xray Database, Xray immediately identifies all of the impacted artifacts, and runs the relevant policies to continuously protect your artifacts, builds and Release bundles.


Xray Functionality in the Application Module

The following table describes Xray capabilities that are supported in the Application module:

Xray Capability


Search for Xray Data

Search for resources containing specific vulnerability and license compliance information according to Resource Name, CVE number, license, severity level and narrow it down to a specific date range. For more information, see Searching for Scanned Resources.Searching for Scanned Resources

Manage Violations on a Watch

View the detected violations for a specific Watch as well as setting ignore rules if needed. For more information, see Examining Violations on a Watch.

Analyze Your Resource Scanned Results

View Xray data on each of the scanned resources allowing you todrill down to expose greater detail and help you analyze the state of your components. For more information, see Analyzing Your Resource Scan Results.

Integrate Xray into Your CI-CD Pipeline

JFrog Xray can be integrated into your organization's CI/CD pipeline to make sure that build jobs containing violations are stopped early in the process. As part of a fully automated process, Xray receives information about a build that has just been run by your CI server, and runs a deep recursive scan on the build down to the deepest level dependency. If any violations are found, Xray returns an indication to the calling CI server and fails the build. For more information, see CI-CD Integration with Xray.

Integrate Xray into Your IDE

JFrog Xray is instrumental in flagging components with vulnerabilities during the development, by displaying vulnerabilities as early as possible in the developer's IDE. For more information, see IDE Integration.

Additional Xray Functionalities

In addition to the Xray capabilities in the JFrog Platform, Xray provides the following features that help developers scan their packages and components:

  • CI-CD Integration with Xray: Seamlessly integrate JFrog Xray security and compliance scanning in your organization's CI/CD pipeline to make sure that build jobs containing vulnerabilities are stopped early on in the process.

  • Dependencies Scan: Scan your source's dependencies using the JFrog CLI for vulnerabilities and licenses violations.

  • On-Demand Binary Scan: Point to a binary in your local file system and receive a report that contains a list of vulnerabilities and licenses for that binary using the JFrog CLI.

Watch the Screencast