This page lists the optional configuration parameters for Frogbot that users can reference to customize their scans and fix actions. Each parameter is described along with its default value (if applicable) and usage guidance and can be set as an environment variable before executing Frogbot.
| Parameter Name | Description | Default Value | Repo Scan | PR Scan |
|---|---|---|---|---|
JF_GIT_API_ENDPOINT | API endpoint for GitHub Self-Hosted environment | https://api.github.com | ✔️ | ✔️ |
JF_RELEASES_REPO | Engines and Resources location. See Working in Air-Gapped Environments. | https://releases.jfrog.io | ✔️ | ✔️ |
JF_PATH_EXCLUSIONS | List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository. | *git*;*node_modules*;*target*;*venv*;*test* | ✔️ | ✔️ |
JF_WATCHES | Set Frogbot to use Xray Watches.
| “” | ✔️ | ✔️ |
JF_PROJECT | JFrog project.
| “” | ✔️ | ✔️ |
JF_FAIL | Fails the Frogbot task if any security issue is found. | false | ✔️ | |
JF_DEPS_REPO | Artifactory virtual repository for downloading dependencies if not cached locally. | “” | ✔️ | ✔️ |
JF_BRANCH_NAME_TEMPLATE | Template for generated branch names; must include {BRANCH_NAME_HASH} for uniqueness. | "frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}" | ✔️ | |
JF_COMMIT_MESSAGE_TEMPLATE | Template for commit messages; can include {IMPACTED_PACKAGE} and {FIX_VERSION}. | "Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" | ✔️ | |
JF_PULL_REQUEST_TITLE_TEMPLATE | Template for pull request titles; can include {IMPACTED_PACKAGE} and {FIX_VERSION}. | "[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" | ✔️ | |
JF_GIT_AGGREGATE_FIXES | If true, groups all fixes in a single PR; false creates separate PRs. | false | ✔️ | |
JF_FIXABLE_ONLY | If true, addresses only vulnerabilities with available fixes. | true | ✔️ | |
JF_MIN_SEVERITY | Minimum severity level (Low, Medium, High, or Critical) for vulnerabilities to fix/comment. | “” | ✔️ | ✔️ |
JF_GIT_EMAIL_AUTHOR | Author email for commit messages. | "eco-system+frogbot@jfrog.com" | ✔️ | |
JF_ALLOWED_LICENSES | Comma-separated list of allowed licenses. | “” | ✔️ | ✔️ |
JF_AVOID_EXTRA_MESSAGES | If true, excludes additional info from PR comments, showing only scan findings. | true | ✔️ | |
JF_PR_COMMENT_TITLE | Custom title for PR comments generated by Frogbot. | ✔️ | ||
JF_SMTP_SERVER | JAS Secret Finding Report SMTP server URL with port for sending emails with detected secrets in pull request scans. | ✔️ | ||
JF_SMTP_USER | Username for authenticating with the SMTP server (mandatory if JF_SMTP_SERVER is set). | ✔️ | ||
JF_SMTP_PASSWORD | Password for authenticating with the SMTP server (mandatory if JF_SMTP_SERVER is set). | ✔️ | ||
JF_EMAIL_RECEIVERS | Comma-separated list of email addresses for notifications about detected secrets in PRs. | “” | ✔️ | |
JF_INSTALL_DEPS_CMD | Command for installing project dependencies (e.g., "nuget restore"). Required if the project uses Yarn 2, NuGet, or .NET and install command isn’t set in frogbot-config.yml. | ✔️ | ✔️ | |
JF_INCLUDE_ALL_VULNERABILITIES | If set to "true", displays all vulnerabilities, including those present before the pull request. | "false" | ✔️ | |
JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION | If set to "true", retains old comments on pull requests from previous scans when adding new comments. | "false" | ✔️ | |
JF_REQUIREMENTS_FILE | Relative path to a Pip requirements.txt file. If not set, dependencies are determined using the setup.py file. | "true" | ✔️ | ✔️ |
JF_USE_WRAPPER | Use Gradle wrapper for builds. | “true” | ✔️ | ✔️ |