Frogbot: Securing your git repository!

Frogbot scans every pull request created for security vulnerabilities with JFrog Xray. With Frogbot installed, you can make sure that new pull requests don’t add new security vulnerabilities to your code base alongside them. If they do, the creator of the pull request has the opportunity to change the code before it is merged.

Frogbot reports its findings directly in the git UI. It simply adds a comment with its findings. You can think of Frogbot as your new team member, keeping your code safe.

Learn more:

Start for Free

Transcription:

Hello!

Today we are going to talk about Frogbot, one of the coolest bots out there. Frogbot is a git bot that scans pull requests for vulnerabilities. 

In this video we will be using the GitHub action!

Quite easy really

With this GitHub action as soon as a pull request is created or a label is added to an existing pull request

Frogbot will be run and a new report will be created with all the vulnerabilities found on the project! 

Before we add the Frogbot GitHub action, Frogbot requires a JFrog environment to scan the pull requests. 

I recommend you to create your own free instance! Go to jfrog.com and start for free. 

How to create your own account, users and security access tokens can be found on specialized webinars at jfrog.com

We are going to need the Jfrog platform URL, a username and a password or a token as a git secret!!! 

Lets add the Frogbot GitHub action!

We can use the Github Action templates!

I’m going to select the maven template. As you can see we have all the information we need to add the GitHub action to our own workflows

Now the secrets..

From our JFrog platform we can create an access token to allow the Frogbot to connect, run the scan and generate the report.

As you can see I opted for that option! 

In the GitHub workflows directory the app project has already the Frogbot yaml file defined

Here we defined the URL and the access token!

We have created a pull request  called log4j 1.2 

That adds a known critical vulnerability 

And we can see exactly that on the report in the comment section

Severity

The package impacted

Version

Component 

Component version 

The report was generated by the  Frogbot GitHub action when the pull request was created 

We can verify the version of the Frogbot action, the environment variables …. 

This GitHub action can be executed again and again if we use the Frogbot scan label!

Remember just add the label to re run the Frogbot action!

A new report will be added in the comments section of the pull request.

Thank you for watching this video! Happy coding!

Release Fast Or Die