XRAY: Why am I Seeing Different Scan Results Between JFrog Xray Scans?

XRAY: Why am I Seeing Different Scan Results Between JFrog Xray Scans?
Products
JFrog_Xray
Content Type
User_Guide
AuthorFullName__c
Ori Zohar
articleNumber
000006699
FirstPublishedDate
2025-12-02T15:07:47Z
lastModifiedDate
2025-12-02
VersionNumber
1
Introduction 

It is common to notice differences in scan results when using different JFrog Xray scanning methods. JFrog provides multiple approaches to scanning your software components for security vulnerabilities, license compliance issues, and quality risks.

The three main approaches are:
  • JFrog CLI Audit Scan (jf audit)
  • Xray Artifact Scan (binary scanning)
  • Build Xray Scan (scanning published builds)
While all three aim to identify potential risks, the differences come from the way they analyze artifacts, dependencies, and metadata. This article highlights the key differences by comparing concepts such as the component graph and dependency graph, as well as how these approaches impact scan results.



Resolution 

1. JFrog CLI Audit Scan (jf audit)

What it does
The jf audit command scans the project by gathering metadata available on the package and constructing a dependency graph using the package manager’s install tree. It is typically used for source code or project scans and supports Static Application Security Testing (SAST) where applicable. Unlike artifact scans, it does not inspect the physical files themselves but instead relies on dependency metadata. This provides traceability to see which dependencies bring in vulnerabilities.


How it works
  • Relies on the package manager metadata to build the dependency tree.
  • Does not scan the actual files on disk.
  • Supports SAST analysis depending on the package manager.

Graph type
  • Dependency Graph: Shows hierarchical relationships (e.g., app → library A → library B → vulnerable-lib).

Use case
  • Ideal for scanning source code projects.
  • Helps identify the origin of vulnerable dependencies.

2. Xray Artifact Scan (binary scanning)

What it does
An artifact scan inspects the actual contents of a binary artifact, such as Docker images, ZIP files, or JAR packages. Xray extracts the components inside the artifact and performs checksum-based analysis against JFrog’s vulnerability database. It does not use dependency metadata and focuses only on the physical content of the artifact, making it suitable for deep inspection of shipped binaries.

How it works
 
  • 

    Extracts all files from the artifact and calculates checksums for each component.
    

  • 

    Compares the extracted components against JFrog’s vulnerability database.
    

  • 

    Does not use any dependency metadata; only what physically exists inside the artifact is scanned.

    

 
Graph type
 
  • 

    Component Graph: Flat representation of components in the artifact; dependency relationships are not preserved.

    

 
Limitations
 
  • 

    External dependencies used during build but not included in the artifact will not be detected.
    

  • 

    Scan results may be limited for complex projects where files are split across multiple packages.

    

 
Use case
 
  • 

    Best for third-party binaries or artifacts where build metadata is not available.
    

  • 

    Useful for validating what is actually shipped.

    

 

3. Build Xray Scan (scanning published builds)

What it does
 
A build scan evaluates the full build metadata that has been published to Artifactory via JFrog CLI or CI plugins. This includes both the artifacts produced and all resolved dependencies, even if they were not packaged into the final artifact. Build scans also enrich results with context, such as environment variables, SCM data, and build numbers, providing a complete view of the build.

How it works
 
  • 

    Reads the published build metadata from Artifactory.
    

  • 

    Scans both the artifacts and all resolved dependencies used during the build.
    

  • 

    Includes enriched context such as environment variables, SCM info, and build numbers.
    

  • 

    Provides traceability for dependencies even if they were not embedded in the artifact.

    

 
Graph type
 
  • 

    Component Graph: Flat structure of components in the build.
    

  • 

    Dependency hierarchy is not preserved as in jf audit.

    

 
Benefits
 
  • 

    Offers a complete view of direct and transitive dependencies.
    

  • 

    Enables traceability, reproducibility, and compliance across enterprise workflows.

    

 
Use case
 
  • 

    Ideal for CI/CD pipelines where builds are controlled and published to Artifactory.
    

  • 

    Ensures accurate scan results for artifacts and external dependencies.

    

 

Conclusion

Summary Comparison

 


Feature



JFrog CLI Audit (jf audit)



Xray Artifact Scan



Build Xray Scan




Scans actual files



No



Yes



Yes (artifacts only)




Uses dependency metadata



Yes



No



Yes




Graph type



Dependency Graph (hierarchy)



Component Graph (flat)



Component Graph (flat)




Detects unbundled deps



Yes



No



Yes




Best for



Source code projects



Third-party binaries



CI/CD builds with full metadata


 


Additional Resources