Scan Your Binaries

JFrog Security User Guide

ft:sourceType
Ftml

The jf scan and jf docker scan command enables developers to perform on-demand security scans of their binaries directly from their terminal, ensuring early detection of CVEs, licenses, operational risk, and exposed secrets. By integrating seamlessly into the developer workflow, it helps catch security risks of binaries before uploading them into JFrog Artifactory — reducing remediation costs and enhancing software integrity. The scan results are displayed in the terminal for immediate feedback and are also available in the JFrog Platform’s On-Demand Scans pane, providing centralized visibility.

Info

On-demand scan results are retained for seven days before being automatically deleted.

Scanning Files on the Local File System

Use the jf scan command to scan files on your local file system with JFrog Xray.

Command: scan, s

Commands Parameters

ParameterOptional/DefaultDescription
--server-idOptionalServer ID configured using jf c add. Defaults to the configured server if not specified.
--specOptionalPath to a file specifying files to scan. Cannot be used with the pattern argument.
--projectOptionalJFrog project key for security violations. Mutually exclusive with --repo-path and --watches.
--repo-pathOptionalArtifactory repository path for determining violations. Mutually exclusive with --project and --watches.
--watchesOptionalComma-separated list of Xray watches. Mutually exclusive with --project and --repo-path.
--licensesDefault: falseDisplay license information.
--format=jsonOptionalOutputs scan results in JSON format.
--sbomDefault: falseDisplays the Software Bill of Materials (SBOM) for the project when set to true. Only applicable if the --sca flag is also used and the output format is set to table.
--vulnOptionalDisplay all vulnerabilities, regardless of Xray policy settings.

Arguments

ArgumentDescription
PatternSpecifies the file system path to artifacts. Supports wildcards.

Examples

Scan with a specific watch: Scans all files at path/to/files/ using the watch1 defined in Xray.

jf s "path/to/files/" --watches "watch1"

Scan with multiple watches: Scans files using watch1 and watch2 defined in Xray.

jf s "path/to/files/" --watches "watch1,watch2"

Scan specific file types: Scans .zip files using watch1 and watch2.

jf s "path/to/files/*.zip" --watches "watch1,watch2"

Scan with project policies: Scans .tgz files using policies defined for project-1.

jf s "path/to/files/*.tgz" --project "project-1"

Scan with repository path: Scans .tgz files using policies for libs-local/release-artifacts/.

jf s "*.tgz" --repo-path "libs-local/release-artifacts/"

Scan without specific policies: Shows all known vulnerabilities for .tgz files.

jf s "*.tgz"

Scanning Docker Containers on the Local File System

Use jf docker scan to scan Docker containers locally using the Docker client and JFrog Xray.

Commands Parameters

ParameterOptional/DefaultDescription
--server-idOptionalConfigured server ID.
--projectOptionalJFrog project key for security violations.
--repo-pathOptionalArtifactory repository path for determining violations.
--watchesOptionalComma-separated list of Xray watches.
--licensesDefault: falseDisplay license information.
--validate-secretsDefault: falseValidate detected secrets.
--format=jsonOptionalOutputs scan results in JSON format.
--vulnOptionalShow all vulnerabilities.

Arguments

ArgumentDescription
PatternSpecifies the file system path to artifacts. Supports wildcards.

Examples

Scan all vulnerabilities: Scans img1:1.0.0 and displays all known vulnerabilities.

jf docker scan reg1/repo1/img1:1.0.0

Scan with project policies: Displays violations for my-project.

jf docker scan reg1/repo1/img1:1.0.0 --project my-project

Scan with Xray watch: Shows violations based on my-watch.

jf docker scan reg1/repo1/img1:1.0.0 --watches my-watch

Scan with repository path: Displays violations for releases-local/app1/.

jf docker scan reg1/repo1/img1:1.0.0 --repo-path releases-local/app1/

Scanning Image Tarballs on the Local File System

Use the scan command to scan tarballs of Docker and OCI images saved on the local file system.

It requires saving the image as a tar file using a compliant tool and then scanning it with the jf s command.

Examples

Using Docker

Save and scan an image:

docker save --output my-image-docker.tar my-image:1.0.0
jf s my-image-docker.tar

Using Skopeo

Scan Docker format:

skopeo copy docker-daemon:my-image:1.0.0 docker-archive:my-image-docker.tar
jf s my-image-docker.tar

Scan OCI format:

skopeo copy docker-daemon:my-image:1.0.0 oci-archive:my-image-oci.tar
jf s my-image-oci.tar

Using Podman

Scan Docker format:

podman save --format=docker-archive -o my-image-docker.tar my-image:1.0.0
jf s my-image-docker.tar

Scan OCI format:

podman save --format=oci -o my-image-oci.tar my-image:1.0.0
jf s my-image-oci.tar

Using Kaniko

Build and scan an image:

docker run -it --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.8.1-debug -f Dockerfile --no-push --tarPath my-image.tar -d my-image:1.0 -c . --cleanup
jf s my-image.tar