As part of JFrog's shift left efforts to aid developers, Xray also provides the capability to scan your sources dependencies using the JFrog CLI, Frogbot, and JFrog IDE Integrations for vulnerabilities and licenses violations. With this feature, before a developer even checks-in the code they can scan for security or license violations saving valuable time to address these issues. Using a simple command line tool, you can scan a source directory that can be run anywhere and anytime, providing a faster scan, without the need to compile, test or deploy to Artifactory. This enables you to detect vulnerabilities in your dependencies as early as possible.
Once you run the command successfully, Xray scans your dependencies the same way it would when run against artifacts in Artifactory repositories. For more information, see Xray Security and Compliance. The CLI returns a detailed scan results report that contains the details of vulnerabilities and violations discovered in your dependency tree.
This is only supported for Maven, Gradle, and npm packages.
Starting from JFrog CLI version 2.4.0 PyPI and Go packages are supported.
To run a JFrog dependency scan, you need the following installed.
To run a JFrog Dependency Scan:
For more information, see...
Trigger the JFrog CLI
Trigger the JFrog CLI in a directory containing the source files.
Run the JFrog CLI Command
Run the JFrog CLI Command for your deployment
Review the On-Demand Binary Scan results.