Frogbot V2.1.2: Securing your git repository!

Frogbot scans every pull request created for security vulnerabilities with JFrog Xray and in version 2 it even opens pull requests for upgrading vulnerable dependencies to a version with a fix!

With Frogbot installed, you can make sure that new pull requests don’t add new security vulnerabilities to your code base alongside them. If they do, the creator of the pull request has the opportunity to change the code before it is merged.

Frogbot reports its findings directly in the git UI. It simply adds a comment with its findings. You can think of Frogbot as your new team member, keeping your code safe.

If by some reason a vulnerable dependency finds its way into your repository, Frogbot can create pull requests automatically to upgrade to a new version that fixes said dependency.

Learn more:

Get started with Frogbot

Transcription:

Hi. Today we are going to talk about the latest version of Frogbot!

Yes we just released version 2 and we have added even more functionality

You can find the latest version — version 2.1.2 in GitHub  go to  jfrog/Frogbot

 

So what is Frogbot?

Excellent question!

Frogbot is a git bot that Scans pull requests for security vulnerabilities AND Opens pull requests for upgrading vulnerable dependencies to a version with a fix!

Frogbot will scan a pull request when it is either opened or updated and it will post a comment on the pull request.

Frogbot supports several project’s types …. if you have for example an NPM, maven, or  Go project you can start using Frogbot right now!

You can add Frogbot to any GitHub, Gitlab or Bitbucket repository!

After adding Frogbot whenever a developer creates a Pull Request, a workflow is triggered!

The scan will include only new vulnerabilities added by the pull request, not pre-existing ones.

The report will be added as comment on the Pull Request highlighting if there were no issues or if issues were found!

Adding the severity, impacted package, version, fixed versions and the component !

The new functionality added on version 2 for NPM, maven and Go projects is the automatic opening of pull requests to upgrade the version of a dependency.

The new version is suggested based on the Xray scan functionality. Known issues and the version number that fix said issues are taken into consideration when creating the automatic pull requests.

This functionality is supported on Github and Gitlab.. Bitbucket will be added soon.

The first step to benefit from better dependency management is to add Frogbot to your project repository.

Frogbot requires a JFrog environment to scan pull requests.  In case you don’t have one you can create a FREE Jfrog Environment in the Cloud.

Make sure you have your environment URL, username and password or create an access token. If you want to know about this topic in more detail you can visit jfrog.com and read more about it!

 

Now !!

Lets add Frogbot to a GitHub repository.

Here I have a very basic Maven project.

The first step is to add the GitHub actions for scanning and creating automatic pull requests to the maven repository

For that we can copy the templates directly from the jfrog Frogbot repository

We need the Maven template for the pull request scanning.

To copy the action is suggest you use the raw version of the document

You need to add the Frogbot GitHub actions inside the GitHub workflow directory

Create a new file and add the content of the Frogbot template for scanning pull requests .

Don’t forget to add the Frogbot GitHub action for  creating automatic pull requests

Once you have added these files to your repo, two new actions should be available under the actions tab.

Frogbot and Frogbot Fix.

Let’s try them!!

I’m creating a new pull request that adds a well known vulnerability on a dependency … in this case, log4j version 1.2.17

Don’t do this at home!

As soon as we create the pull request we can see that some actions are triggered

If we have a closer look in the actions tab there is a Frogbot workflow run.

 

This workflow has a job named : scan pull request.

 

If the job is successful, the pull request  will be updated. A new comment is added  with the report of the vulnerability scan!

Is up to the REPO owner, admins or any user  to comment or request a change, maybe even approve the pull request.

For demo purposes we will merge the pull request!

As soon as the pull request is merged, new workflows are triggered.

In this case we are very much interested on the Frogbot fix run

After the Frogbot job is finish If there is a vulnerable dependency with a  fixed version the Frogbot will create a pull request

Oh no!!!! There are no fixed versions for this dependency……

Well that is true!!

We need to change the packageId and the artefactId !!

A new pull request is needed to change the packageId to

org. apache.logging.log4j

and the artifact id to log4j core

As soon as we create the pull request Frogbot will trigger the pull request scan workflow.

 

This version has vulnerability issues too!

So a new comment is added to the pull request with the full scan report!!

But in this case there are fixed versions available!!!

 

Anyway! We will merge it … as is!

Again don’t do this at home!!

Once the pull request is merged the workflow for  creating automatic pull requests to fix vulnerable dependencies is triggered.

 

This time after the workflow finishes successfully there is a new pull request in our repo!!! YAY!!!

The pull request is to Upgrade the “org. apache.logging.log4j  log4j core” library to version 2.12.4 with one commit by Frogbot

The commit updates the dependency in question to version 2.12.4

If this update fits our needs  ( I hope so!)  We can approve it and merge it!!!

Release Fast Or Die