JFROG
XRAY

Continuous Security and
Universal Artifact Analysis
What is JFrog Xray

Universal artifact analysis

JFrog Xray offers a universal solution that supports all major package types and integrates with various metadata databases such as those related to vulnerabilities, license compliance, component versions and others.
Unlike any other binary analysis product, Xray breaks down artifacts according to their specific packaging. Xray understands each package type, knows how to unpack it and what every underlying layer contains. Each unpacked component is examined individually to uncover potential vulnerabilities and policy violations, mapped out and merged into Xray’s universal component graph that represents your entire organization’s software structure. This allows you to get maximum visibility into your software dependencies and truly understand the impact of every issue found. Xray provides continuous protection by scanning your components on a regular basis, even though they may have already been found clean and are now exposed to newly discovered vulnerabilities.

KNOWLEDGE IS POWER UNDERSTAND THE OPEN SOURCE COMPONENTS YOU RELY ON

Xray’s advanced technology allows you to understand which open source components are
being used in the artifacts that you consume and create.

Manage your Binaries

Artifactory manages all of your binaries for any technology that you use, all in one place. As part of the JFrog Platform, Xray has the best integration to enable scanning of all of these binaries.

Deep recursive scanning

Xray supports all major package types, understands how to unpack them, and uses recursive scanning to see into all of the underlying layers and dependencies of components, even those packaged in Docker images, and zip files.

Component Graph

Xray creates a component graph representing your full artifact and dependency structure. This provides unprecedented visibility so you understand the impact of any issues discovered anywhere in your software.

SECURITY AND COMPLIANCE UNDERSTAND THE STATE OF THE ORGANIZATION

Xray’s rich vulnerability and license intelligence help you understand what licenses are being used and if there are any security vulnerabilities for each of the open source components you rely on.

VULNERABILITY & COMPLIANCE INTELLIGENCE

Gain confidence in your releases with the most timely and comprehensive vulnerability intelligence VulnDB, coupled with other metadata sources of vulnerabilities, license compliance, component versions and others.

Continuous Scanning

The databases are constantly updated giving the most up-to-date understanding of the security and compliance of your binaries.

Impact Analysis

The component graph of your artifact and dependency structure, enables Xray to understand the impact of a vulnerability or license issue i.e. which artifacts are affected by the vulnerability. This gives you the ability to effectively plan the mitigation of the problem across your organization.

Governance Enforce your security & compliance policies

Act on the identified vulnerabilities and licenses to make sure that your systems are protected and legally compliant.

Policy Detection

Define policies to identify the usage of a component that is either vulnerable or does not comply with your organization’s legal guidelines. Different mitigation behaviour can be set based on the context of where the component is being used.

Policy Notification

Upon detection of violations notify users in different ways including: sending emails, IM messages (for example Slack), creating a Jira ticket or any other system via the Webhook methodology.

Policy Enforcement

Besides creating violations and notifications the system lets you setup enforcement followed actions. This includes blocking the download of a vulnerable binary, failing a build and preventing the distribution of a Release Bundle.

SOFTWARE PIPELINE AUTOMATION & INTEGRATION FROM DEVELOPMENT TO PRODUCTION

Embrace ‘Shift-Left’ by embedding security and compliance at any stage of the software development lifecycle from coding to deployment, using automation where possible.

CI/CD INTEGRATION

  • Native integration with leading CI servers including JFrog Pipelines, Jenkins, CircleCI and TeamCity.
  • Automatically scan builds as part of your software supply chain, and approve or fail them in case of security vulnerabilities or license policy violations.

IDE INTEGRATION

  • Integration with industry leading IDEs - IntelliJ IDEA, Eclipse, Visual Studio and Visual Studio Code.
  • Provides you with critical insights as early as possible in the development phase, making it less likely for vulnerable components to ever reach production.
  • Suggested remediations to solve problems discovered.

Powerful Rest API

  • Out-of-the box automation with leading DevOps tools.
  • Easy integration with any other tool or system via a rich REST API.
  • Reduce the manual processes across your software development pipeline.

Release Fast Or Die