Detect, Prioritize and
Remediate Open Source
Risks Across your SDLC

Empower developers to find and fix security and compliance issues from the start
Start Product Tour Join Masterclass

What is JFrog Xray?

JFrog Xray is an enterprise grade software composition analysis (SCA) tool that provides organizations with a simple way to identify, prioritize and remediate security vulnerabilities and license compliance issues in open source software (OSS) and third party components.

Book a Demo

Early Detection and
Quick Remediation

Easily identify, prioritize and remediate vulnerabilities in your open source packages and binaries by performing continuous scanning of repositories, build packages, and container images throughout the development cycle. Discover security threats early to reduce risk, speed up fixes and save costs

Developer Productivity and Experience

Seamlessly integrate with developer tools, enabling efficient and automated protection of code with minimal impact on build times. View vulnerable dependencies with remediation options and context directly in your IDE/CLI. Automate your pipeline with JFrog’s CLI tool for dependency, container and on-demand scans.

License Compliance
at Scale

Get full visibility into direct and indirect dependencies with automatically-generated software bill of materials (SBOMs). Detect and resolve open source licensing issues before they manifest in production, and easily create policies to enforce regulations and generate compliance reports of all your OSS licenses.

Operational Risk
Management

Access additional data on OSS components to evaluate operational risk. Create custom policies to block packages based on risk factors such as version age, number of contributors, maintenance cadence, number of commits, and end-of-life.

CVE Research and Enrichment
by JFrog Security Research Team

Proactively drive security posture with in-depth CVE findings and vulnerability data from JFrog's dedicated Security Research Team. Gain a better understanding of the actual risk, prioritize high-profile CVEs, and accelerate remediation with effective resource allocation.

Malicious Package
Detection

Automatically discover and eliminate malicious packages and components using JFrog’s extended database of over 4M OSS packages, sourced with information from public advisories and JFrog’s Security Research Team. Get actionable out-of-the-box mitigation and remediation steps to minimize risk.

Why Customers Trust JFrog Xray

“Most large companies have multiple sites and it is critical for those companies to manage authentication and permission efficiently across locations. JFrog Enterprise+ will provide us with an ideal setup that will allow us to meet our rigorous requirements from the get go. It's advanced capabilities, like Access Federation, will reduce our overhead by keeping the users, permissions, and and groups in-sync between sites.”
Siva Mandadi
DevOps - Autonomous Driving, Mercedes
“JFrog Enterprise+ increases developer productivity and eliminates frustration. JFrog Distribution is basically a CDN On-Prem that enables us to distribute software to remote locations in a reliable way. Whereas, JFrog Access Federation gives us the ability to share credentials, access and group memebers across different locations with ease.”
Artem Semenov
Senior Manager for DevOps and Tooling,
Align Technology
"Instead of a 15-month cycle, today we can release virtually on request.”
Martin Eggenberger
Chief Architect,
Monster
“As a long-time DevOps engineer, I know how difficult it can be to keep track of the myriad of package types – legacy and new – that corporations have in their inventory. JFrog has always done a phenomenal job at keeping our team supported, efficient and operational – because if JFrog goes out, we might as well go home. Thankfully, with AWS infrastructure at our backs as well, we know we can develop and deliver with confidence anywhere our business demands today, and in the future.”
Joel Vasallo
Head of Cloud DevOps,
Redbox
“The capabilities of Artifactory are what allow us to do what we can do today…With Xray, [security] is a no-brainer – it’s built in, just turn it on, wow! I’ll take that all day long.”
Larry Grill,
DevSecOps Sr. Manager,
Hitachi Vantara
“When we had that issue with log4j, it was announced on Friday afternoon and [using JFrog] by Monday at noon we had all cities rolled out with the patch.”
Hanno Walischewski
Chief System Architect,
Yunex Traffic
“Among the lessons we learned from this compromise is, in general, you should arrange your system so you never build directly from the internet without any intervening scanning tool in place to validate the dependencies you bring into your builds. To this end, we use an instance of JFrog® Artifactory®, not the cloud service, to host our dependencies, which is the only valid source for any software artifacts bound for staging, production, or on-premises releases.”
Setting the New Standard in Secure Software Development:
The SolarWinds Next-Generation Build System
SolarWinds
"Since moving to Artifactory, our team has been able to cut down our maintenance burden significantly…we’re able to move on and be a more in depth DevOps organization."
Stefan Krause
Software Engineer,
Workiva
“Over 300,000 users around the world rely on PRTG to monitor vital parts of their different-sized networks. Therefore, it is our obligation to develop and enhance not only our software itself but also the security and release processes around it. JFrog helps us do this in the most efficient manner.”
Konstantin Wolff
Infrastructure Engineer,
Paessler AG
“JFrog Connect, for me, is really a scaling tool so I can deploy edge IoT integrations much quicker and manage them at a larger scale. There’s less manual, one-off intervention when connecting to different customer sites with different VPNs and firewall requirements.”
Ben Fussell
Systems Integration Engineer,
Ndustrial
"We wanted to figure out what can we really use instead of having five, six different applications. Maintaining them. Is there anything we can use as a single solution? And Artifactory came to the rescue. It really turned out to be a one-stop shop for us. It really provided everything that we need."
Keith Kreissl
Principal Developer,
Cars.com
“Most large companies have multiple sites and it is critical for those companies to manage authentication and permission efficiently across locations. JFrog Enterprise+ will provide us with an ideal setup that will allow us to meet our rigorous requirements from the get go. It's advanced capabilities, like Access Federation, will reduce our overhead by keeping the users, permissions, and and groups in-sync between sites.”
Siva Mandadi
DevOps - Autonomous Driving, Mercedes
“JFrog Enterprise+ increases developer productivity and eliminates frustration. JFrog Distribution is basically a CDN On-Prem that enables us to distribute software to remote locations in a reliable way. Whereas, JFrog Access Federation gives us the ability to share credentials, access and group memebers across different locations with ease.”
Artem Semenov
Senior Manager for DevOps and Tooling,
Align Technology
"Instead of a 15-month cycle, today we can release virtually on request.”
Martin Eggenberger
Chief Architect,
Monster
“As a long-time DevOps engineer, I know how difficult it can be to keep track of the myriad of package types – legacy and new – that corporations have in their inventory. JFrog has always done a phenomenal job at keeping our team supported, efficient and operational – because if JFrog goes out, we might as well go home. Thankfully, with AWS infrastructure at our backs as well, we know we can develop and deliver with confidence anywhere our business demands today, and in the future.”
Joel Vasallo
Head of Cloud DevOps,
Redbox
“The capabilities of Artifactory are what allow us to do what we can do today…With Xray, [security] is a no-brainer – it’s built in, just turn it on, wow! I’ll take that all day long.”
Larry Grill,
DevSecOps Sr. Manager,
Hitachi Vantara
“When we had that issue with log4j, it was announced on Friday afternoon and [using JFrog] by Monday at noon we had all cities rolled out with the patch.”
Hanno Walischewski
Chief System Architect,
Yunex Traffic
“Among the lessons we learned from this compromise is, in general, you should arrange your system so you never build directly from the internet without any intervening scanning tool in place to validate the dependencies you bring into your builds. To this end, we use an instance of JFrog® Artifactory®, not the cloud service, to host our dependencies, which is the only valid source for any software artifacts bound for staging, production, or on-premises releases.”
Setting the New Standard in Secure Software Development:
The SolarWinds Next-Generation Build System
SolarWinds
"Since moving to Artifactory, our team has been able to cut down our maintenance burden significantly…we’re able to move on and be a more in depth DevOps organization."
Stefan Krause
Software Engineer,
Workiva
“Over 300,000 users around the world rely on PRTG to monitor vital parts of their different-sized networks. Therefore, it is our obligation to develop and enhance not only our software itself but also the security and release processes around it. JFrog helps us do this in the most efficient manner.”
Konstantin Wolff
Infrastructure Engineer,
Paessler AG
“JFrog Connect, for me, is really a scaling tool so I can deploy edge IoT integrations much quicker and manage them at a larger scale. There’s less manual, one-off intervention when connecting to different customer sites with different VPNs and firewall requirements.”
Ben Fussell
Systems Integration Engineer,
Ndustrial
"We wanted to figure out what can we really use instead of having five, six different applications. Maintaining them. Is there anything we can use as a single solution? And Artifactory came to the rescue. It really turned out to be a one-stop shop for us. It really provided everything that we need."
Keith Kreissl
Principal Developer,
Cars.com

Secure Your Software Supply Chain
from Left to Right with the JFrog Platform

Seamlessly curate software packages & ML models

Learn More

Supply chain exposure scanning & impact analysis

Learn More

Real-time visibility into runtime vulnerabilities

Learn More

Augmented Security for
Source Code and Binary Scanning

With JFrog Advanced Security development teams can scan while they code, while DevOps and Security teams can govern and set security gatekeepers on binaries – All using JFrog’s advanced scanners to efficiently prioritize and reduce security noise.

Learn about Advanced Security

Driven By Dedicated Research

JFrog’s Security Research team of 20+ certified engineers carry out groundbreaking research in software supply chain security, uncovering and disclosing new OSS vulnerabilities, analyzing novel attack methods, and providing the community and customers with timely support through OSS tools.

2,000+

Malicious Packages
Disclosed

1700+

Applicability Scanners

20+

OSS Tools
Released

140+

Vulnerabilities
Discovered

Additional Resources on Security

Solution Sheet
The Ultimate Guide to JFrog Security
READ MORE >
Security Research Report
In-Depth Analysis of The Top Open Source Security Vulnerabilities
READ REPORT >
Webinar
Software supply chain security with Xray Essentials & Advanced Security
WATCH NOW >
Blog
Save time fixing only the applicable vulnerable dependencies in your IDE
READ MORE >
Git OSS Scanning Tool
Frogbot - The JFrog Security Git Bot
Learn More >
Security Research Blog
Scale and improve security posture while shifting left!
READ MORE >

Deliver Trusted Software Releases
at Speed and Scale

Start Product Tour Book A Demo