Frogbot: Securing your git repository!
Frogbot scans every pull request created for security vulnerabilities with JFrog Xray. With Frogbot installed, you can make sure that new pull requests don’t add new security vulnerabilities to your code base alongside them. If they do, the creator of the pull request has the opportunity to change the code before it is merged.
Frogbot reports its findings directly in the git UI. It simply adds a comment with its findings. You can think of Frogbot as your new team member, keeping your code safe.
Learn more:
- JFrog Frogbot
- New Frogbot V2.3.2
- JFrog Xray
- JFrog CLI developer plugins registry
- Read more about JFrog Frogbot in this blog post
Transcription:
Hello!
Today we are going to talk about Frogbot, one of the coolest bots out there. Frogbot is a git bot that scans pull requests for vulnerabilities.
In this video we will be using the GitHub action!
Quite easy really
With this GitHub action as soon as a pull request is created or a label is added to an existing pull request
Frogbot will be run and a new report will be created with all the vulnerabilities found on the project!
Before we add the Frogbot GitHub action, Frogbot requires a JFrog environment to scan the pull requests.
I recommend you to create your own free instance! Go to jfrog.com and start for free.
How to create your own account, users and security access tokens can be found on specialized webinars at jfrog.com!
We are going to need the Jfrog platform URL, a username and a password or a token as a git secret!!!
Lets add the Frogbot GitHub action!
We can use the Github Action templates!
I’m going to select the maven template. As you can see we have all the information we need to add the GitHub action to our own workflows
Now the secrets..
From our JFrog platform we can create an access token to allow the Frogbot to connect, run the scan and generate the report.
As you can see I opted for that option!
In the GitHub workflows directory the app project has already the Frogbot yaml file defined
Here we defined the URL and the access token!
We have created a pull request called log4j 1.2
That adds a known critical vulnerability
And we can see exactly that on the report in the comment section
Severity
The package impacted
Version
Component
Component version
The report was generated by the Frogbot GitHub action when the pull request was created
We can verify the version of the Frogbot action, the environment variables ….
This GitHub action can be executed again and again if we use the Frogbot scan label!
Remember just add the label to re run the Frogbot action!
A new report will be added in the comments section of the pull request.
Thank you for watching this video! Happy coding!