JFrog Xray

Deliver Security and Compliance Best Practice at DevOps Speed


Securing your software supply chain is an increasingly complex problem with evolving attack methods and a mix of security point solutions, which can leave you with security blind spots and gaps across your supply chain. DevOps and security professionals are left to figure out how to maintain development speed without sacrificing the trust in your releases. Ensuring developers have integrated security automation and knowledge at their fingertips is the panacea of secure software delivery at the speed of DevOps.


JFrog security integrates advanced security scanning, automation and knowledge directly into the DevSecOps workflow, enabling secure innovation at speed and scale. We analyze code and binaries to give accurate vulnerability context, avoiding false positives, saving time, and increasing agility. JFrog provides a holistic and trusted end-to-end software supply chain security solution, from source to edge.


See what no one else sees

  • Drive cross-team cooperation and trust centered on deep security research that automatically delivers unparalleled visibility into issues, their impact, and actionable advice for developers.

Comply with confidence

  • Automate regulatory and governmental compliance tasks with all must-have actions for SBOM generation, sharing, and reporting out of the box.

Find, fix & fortify

  • Sharpen developer focus with prioritized, contextual remediation advice that identifies what matters most to ensure you’re protected.

Protect against malicious activity

  • Stop security issues that arise post-code generation with binary-based analysis across the software supply chain, including in curation, dev, test, staging, and production.

Secure from one place

  • Execute with confidence, taking holistic action across code, configurations, and binaries throughout your portfolio from a single platform.

Take intelligent action

  • Know where vulnerabilities live, and deploy fixes across your portfolio with integrated binary management and distribution capabilities based on complete lifecycle metadata.


JFrog Xray and the JFrog Platform intelligently identify significant supply chain security issues that attackers use to compromise developers’ processes, with:

  • Container contextual analysis
    Advanced container scanning to identify and prioritize whether the open source software vulnerabilities are actually exploitable in your application – an industry first.
  • Exposed secrets
    Detect secrets left exposed in any containers stored in JFrog Artifactory to prevent any accidental leak of passwords, API keys, internal tokens, or credentials.
  • Infrastructure-as-Code (IaC)
    Secure IaC files stored in JFrog Artifactory for early detection of cloud and infrastructure misconfigurations that can be exploitable.
  • Insecure use of libraries and services
    Discover whether common OSS libraries and services are used or configured insecurely, causing exposure to attacks.
  • Malicious package detection
    Discover and eliminate unwanted or unexpected packages, using JFrog’s unique database of identified malicious packages.
  • Operational risk policies
    Enable easy handling of open source software risks like package maintenance issues & technical debt.
  • Enhanced CVE remediation data
    Speed mitigation with enhanced remediation for critical CVEs, enabling developers, DevOps, and security teams to understand more about how to easily & intelligently address vulnerabilities, often with simple code or configuration changes.
  • Enhanced CVE data and severity assessment
    Understand critical CVEs and learn additional insights to enable developers, DevOps, and security teams to understand issues across OSS and commercial environments. Driven by our dedicated security research team’s advanced analysis.
  • Developer-oriented features
    Security know-how is at their fingertips with Integration directly into the most popular IDEs, Docker Desktop, vulnerability scanning via CLI, and Frogbot scanner for discovering vulnerabilities in git repositories.
  • Security-oriented features
    Make compliance a breeze with SBOMs out of the box, industry-standard SPDX and CycloneDX and new security UI screens, with all security scans shown in one place.


JFrog’s differentiated approach is to deliver a unified Platform that bridges the gap between Developers, DevOps and Security teams, driving a single source of record for software supply chain security. JFrog is uniquely positioned to intelligently unify these groups with the following key differentiating themes:

  • Binary focus
    The modern software supply chain has only one core asset delivered into production: the software binary. Therefore, today’s attackers try to reverse-engineer, break or entice the shipment of compromised binaries. Because they contain more information than source code, JFrog’s focus on the binary, reveals issues that are not always visible in source code.
  • Comprehensive coverage, including context
    JFrog identifies OSS vulnerabilities, any OSS library misuse, insecure use of services, exposed secrets, IaC configuration issues, and identification of the applicability and exploitability of the most serious vulnerabilities in your application – all in a single platform. CVEs may or may not be exploitable depending on the application’s configurations, reachability paths, and compile flags.
  • Security that really works for DevOps
    Security teams set security strategies and compliance policies. Development teams build, remediate and manage code bases. Binaries, infrastructure, integrations, releases and flows all must be addressed to enable a DevOps-centric workflow that works for core DevOps teams, not just security and developers.
  • Native integration with binary management
    JFrog Artifactory manages all artifacts and repositories in one place, which becomes a single source of truth for an organization. Security becomes an easy process when you have control of your entire portfolio and are deeply integrated. Your single source of truth becomes a single source of trust.
  • End-to-End software supply chain coverage
    DevOps becomes the security pivot point for organizations, since every process, and tool requires and incorporates security. JFrog Xray and the advanced security features are deeply integrated, allowing companies to unify, accelerate & secure their software delivery. An enterprise-grade offering, that supports cloud, multicloud and hybrid deployments and can even deliver to the edge/ IoT at any scale.





Protect your code and prevent unwanted security and license compliance risks from entering your software releases. JFrog Xray is integrated into your software development pipeline.