Xray Dependencies Scan

JFrog Security Documentation

Products
JFrog Xray
Content Type
User Guide
ft:sourceType
Paligo

As part of JFrog's shift left efforts to aid developers, Xray also provides the capability to scan your sources dependencies using the JFrog CLI, Frogbot, and JFrog IDE Integrations for vulnerabilities and licenses violations. With this feature, before a developer even checks-in the code they can scan for security or license violations saving valuable time to address these issues. Using a simple command line tool, you can scan a source directory that can be run anywhere and anytime, providing a faster scan, without the need to compile, test or deploy to Artifactory. This enables you to detect vulnerabilities in your dependencies as early as possible.

Once you run the command successfully, Xray scans your dependencies the same way it would when run against artifacts in Artifactory repositories. For more information, see Xray Security and Compliance. The CLI returns a detailed scan results report that contains the details of vulnerabilities and violations discovered in your dependency tree.

Note

This is only supported for Maven, Gradle, and npm packages.

Starting from JFrog CLI version 2.4.0 PyPI and Go packages are supported.

Prerequisites

To run a JFrog dependency scan, you need the following installed.

  1. Install XrayInstalling Xray

  2. Install JFrog CLI version 2.1.0

To run a JFrog Dependency Scan:

#

Task

Description

For more information, see...

1

Trigger the JFrog CLI

Trigger the JFrog CLI in a directory containing the source files.

Access the JFrog CLI

2

Run the JFrog CLI Command

Run the JFrog CLI Command for your deployment

Run the JFrog CLI Command for Dependency Scans

3

Review Results

Review the On-Demand Binary Scan results.

View Xray Dependency Scan Results