Frogbot V2.3.2: Securing your git repository!
With the latest Frogbot release you’ll get GitHub security alerts! Support for Yarn 2 … Improved workflow and more!!
Frogbot scans every pull request created for security vulnerabilities with JFrog Xray and in version 2.3.2 it even opens pull requests for upgrading vulnerable dependencies to a version with a fix!
With Frogbot installed, you can make sure that new pull requests don’t add new security vulnerabilities to your code base alongside them. If they do, the creator of the pull request has the opportunity to change the code before it is merged.
Frogbot reports its findings directly in the git UI. It simply adds a comment with its findings. You can think of Frogbot as your new team member, keeping your code safe.
If by some reason a vulnerable dependency finds its way into your repository, Frogbot can create pull requests automatically to upgrade to a new version that fixes said dependency.
Learn more:
- JFrog Frogbot
- JFrog Xray
- JFrog CLI developer plugins registry
- Read more about JFrog Frogbot in this blog post
Transcription:
Frogbot v2.3.2
Today we are going to talk about Frogbot.
Version 2.3.2 was released this week. The last week of August 2022.
This release includes new features like:
Support for opening pull requests for pip, pipenv, and Yarn
Show scan results in the GitHub Security tab
We also added the action templates to GitHub workflow templates, so you can add them easily.
What is Frogbot?
Frogbot is a Git bot that scans your pull requests after they are opened and also scans your Git repositories right after a pull request is merged.
So.. how do frogbot scans pull requests?
Well…. Frogbot uses JFrog Xray in the background
After executing the “Pull Request scan” workflow……
Frogbot will add the results of said scan as a comment on the pull request.
Frogbot supports GitHub, GitLab, and Bitbucket Server projects that manage their dependencies with:
- Npm
- Yarn 2
- Maven
- Gradle
- Go
- Pip
- Pipenv
- Nuget
- Dotnet
For security reasons, Frogbot has not triggered automatically.
After a developer creates a new pull request, the maintainer of the git repository can trigger Frogbot to scan the pull request
The scan result will include only new vulnerabilities added by the pull request.
Vulnerabilities that aren’t new, and existed in the code before the pull request creation, will not be included in the report.
If you want to include all vulnerabilities in the report, including older ones, use the JF_INCLUDE_ALL_VULNERABILITIES environment variable.
The steps involved.
- A developer opens a pull request.
- The Frogbot workflow automatically gets triggered and a GitHub environment named Frogbot is pending the maintainer’s approval
- A Maintainer reviews the pull request and approves the scan
- Frogbot can be triggered again following new commits and approving each scan
What do the pull request comments look like?
If the workflow execution is successful. The scan result will either show vulnerabilities found or not!
If there are no vulnerabilities everything is GREEN
If there ARE vulnerabilities, the following information is added to the comment of the Pull Request.
SEVERITY
IMPACTED PACKAGE
VERSION
FIXED VERSIONS
COMPONENT
COMPONENT VERSION
CVE
With all this information we can prevent merging code that has known vulnerabilities.
But what happens if we still merge the pull request?
Don’t worry there is a solution for that!!
Scanning repositories after pull requests are merged
The scan is triggered when commits are pushed to the repository….. in the pull request Frogbot will add a commit to upgrade vulnerable dependencies to a version with a fix.
In GitHub repositories Frogbot also adds Security Alerts on the Github UI
How cool is that !!
The scan is done with Xray and is triggered with any commit pushed to the repository
The opening of pull request is only supported in GitHub and GitLab….. Bitbucket will be supported soon.
Check Frogbot documentation to know when that will be enabled!
Ok now let us add Frogbot to a Github Maven project.
This is a trivia maven project. To add Frogbot we need to configure details of your JFrog environment. In this case JF_URL and the JF_ACCESS_TOKEN
The JF_URL you can find it on Platform Configuration. Platform Security . General
We can generate an access token in User Management. ACCESS TOKEN
Make sure GitHub Actions has permission to create pull requests.
Create a new “frogbot” GitHub environment and add people or public teams as reviewers. The chosen reviewers are authorized to trigger Frogbot scans on pull requests.
We need to add the GitHub action.
You can copy both actions from the Frogbot GitHub repository
Remember we have the JF_URL and the JF_ACCESS_TOKEN defined as secrets
We can copy from the GitHub action template the scan and fix maven yml file
As soon as the file is committed the scan and fix workflow is triggered and as no vulnerabilities are found we can continue as normal
I will add a new pull request that does add a known vulnerability.
As soon as the PR is opened the scan pull request workflow is trigger, in this case, I am the only maintainer so no approval is needed.
The results of the scan are added as comments! Oh no!
I will merge this pull request!! Do NOT DO THIS AT HOME, unless you have a good reason!
Now the scan and fix workflow found a version of the vulnerable dependency so it will save the day by creating automatically a Pull request!
The create fix pull request workflow is triggered, and the new code scanning alerts are found and displayed on the Security tab/
