Catalog

JFrog Security User Guide
ft:sourceType
Ftml

JFrog Catalog is a centralized repository of open-source software (OSS) packages and Common Vulnerabilities and Exposures (CVEs), enriched with security, compliance, and operational risk insights. It serves as a single source of truth for organizations managing their software supply chain, offering deep visibility into package vulnerabilities, dependencies, and licensing requirements.

With data continuously enriched by JFrog Security Research, JFrog Catalog provides actionable intelligence that helps development, security, and compliance teams make informed decisions about the software components they use.

Where Does JFrog Catalog Fit in the Security Timeline?

JFrog Catalog acts as the foundation for JFrog's security products, providing enriched OSS metadata, vulnerabilities, dependencies, and license insights before software is ingested into a development pipeline. It is primarily used before security scanning and enforcement mechanisms take place.

JFrog Catalog ( Pre-Selection & OSS Intelligence)

  • When? Before software components are introduced into development.
  • Purpose? Research, compare, and pre-approve open-source packages before they enter the CI/CD pipeline.

Install Catalog

The Catalog installation instructions can be found here.

Key Benefits of JFrog Catalog

1. Comprehensive Software Visibility

  • Enables quick identification of vulnerabilities within open-source components.
  • Provides a detailed view of package dependencies, including transitive risks.
  • Centralizes information on OSS licensing, helping legal teams manage compliance.

2. Strengthened Security & Risk Mitigation

  • Offers enriched CVE data to proactively address security threats.
  • Integrates with OpenSSF Scorecards to assess the security posture of OSS projects.
  • Helps developers choose more secure and well-maintained software packages.

3. Seamless Package Management with Labels

  • Allows organizations to categorize and manage packages through Catalog Labels.
  • Enables fine-grained curation policies, ensuring that only approved software is used.
  • Supports bulk automation via GraphQL API, streamlining package governance at scale.

4. Efficient Decision-Making

  • Empowers teams to compare multiple packages based on security, compliance, and dependencies.
  • Supports customized package selection, enabling organizations to make risk-aware software choices.