Features and Capabilities

Software Composition Analysis (SCA)

What it does:
Xray performs deep analysis of artifacts, builds, and Release Bundles to identify security issues, license compliance, and operational risk.

Why it matters:
Organizations need to proactively identify vulnerabilities, license compliance, and code quality in their open-source and proprietary code before releasing software.

Developer Experience & Shift-Left Security with Xray Scanning in IDEs and CLI

What it does:
JFrog Xray enables developers to identify and remediate security vulnerabilities early in the development lifecycle by integrating directly into IDEs and CLI tools. This shift-left approach ensures that security is addressed before code is committed or built.

For developers and DevOps engineers, JFrog Xray provides on-demand CLI-based security scanning through JFrog CLI:

Deep Recursive Scanning

What it does:
Unlike traditional scanners, Xray recursively scans all layers of software artifacts.

Key Capabilities:

File-based Analysis: Extracts and scans all files within an artifact.
Recursive Layer Inspection: Ensures all artifact layers are covered.
OS and Container Security: Scans multiple package types. For the full list, see Supported Technologies.

Why it matters:
Provides greater visibility into software components.

Impact Analysis

What it does:
Analyzes how vulnerabilities impact different components in an organization’s software dependency graph.

Key Capabilities:

Dependency Tracking: Identifies affected projects based on security issues.
Contextual Analysis: Determines real-world exploitability of vulnerabilities. (with JFrog Advanced Security)
Fix Version Detection: Suggests available security patches for affected components.

Why it matters:
Reduces false positives and prioritizes vulnerabilities that pose the most risk.

Impact Search

What it does
Impact Search enables you to quickly identify which artifacts in your environment are affected by specific vulnerabilities or contain particular components. The feature provides a centralized way to assess the blast radius of security issues across your software supply chain.

Key capabilities

Search by vulnerability identifier (CVE or XRAY ID).
Search by package name, type, and version.
Correlate vulnerabilities to affected artifacts across repositories.
Support ad-hoc investigations and incident response workflows.
Provide consistent results aligned with Xray’s New SBOM data model.

Why it matters
When a critical vulnerability is disclosed, security and DevOps teams must rapidly understand where it exists in their estate. Impact Search reduces manual investigation by allowing targeted queries across all Xray-scanned resources, helping teams prioritize remediation and risk mitigation.

CI/CD Pipelines Integration

What it does:
Seamlessly integrates with CI/CD tools to scan software before deployment.

Key Capabilities:

Jenkins, GitHub Actions, GitLab CI, Azure DevOps Integration, Bamboo, TeamCity, and the JFrog CLI.
Automated Build Scanning: Prevents vulnerable builds by indicating that the build job should fail.

Why it matters:
Secure the CI/CD Pipeline and reduce remediation costs.

Features and Capabilities

JFrog Security User Guide

Software Composition Analysis (SCA)

Developer Experience & Shift-Left Security with Xray Scanning in IDEs and CLI

Deep Recursive Scanning

Impact Analysis

Impact Search

Policy-Based Security Enforcement

Operational Risk Management

Malicious Package Detection

Software Bill of Materials (SBOM)

Advanced Reporting

CI/CD Pipelines Integration