JFROG
XRAY

Continuous Security and
Universal Artifact Analysis
What is JFrog Xray

Universal artifact analysis

JFrog Xray offers a universal solution that supports all major package types and integrates with various metadata databases such as those related to vulnerabilities, license compliance, component versions and others.
Unlike any other binary analysis product, Xray breaks down artifacts according to their specific packaging. Xray understands each package type, knows how to unpack it and what every underlying layer contains. Each unpacked component is examined individually to uncover potential vulnerabilities and policy violations, mapped out and merged into Xray’s universal component graph that represents your entire organization’s software structure. This allows you to get maximum visibility into your software dependencies and truly understand the impact of every issue found. Xray provides continuous protection by scanning your components on a regular basis, even though they may have already been found clean and are now exposed to newly discovered vulnerabilities.

impact analysis Securing Your Binaries

Allowing organizations to understand the impact of artifacts on production systems security, stability, quality, performance and architecture.

deep recursive scanning

Drill down and analyze recursively within components even to the smallest binary component that affects your software. Xray serves as a universal component scanner for virtually any packaging type.

impact analysis

Discover and understand the impact of components to your overall system, where small changes can have a tremendous impact to performance and quality.

dependency tracking

Build dependency graphs that represent a combined view of the metadata indexed in Artifactory and Xray’s deep recursive scanning, analyzing the relationships between binary artifacts in an organization as a whole. Allowing you to clearly understand the impact one component has on any other.

visibility Collective Metadata in One Place

Analyzing all your binaries to give you total visibility and transparency of all the collective metadata that you need to gain trust in your software. JFrog Xray gives you a complete comprehensive picture of all your software components broken down, mapped out and consolidated into one place, whether you are developing or consuming them.

Advanced Components Search

Query components based on their name, package type, last update, severity and more.

drill down

See the complete details on your components including versions, any security vulnerabilities, associated OSS licenses, occurrences in Artifactory instances and graph information showing all ancestors and descendants.

custom issues

Assign custom issues to component metadata with severity and description for easy management.

remediation

Xray lets you know when there’s a known fix available as an option is known for a certain issue (fix version)

FULLY AUTOMATED LIFECYCLE SECURITY from development to production

Unlike traditional binary analysis tools, JFrog Xray is a fully automated platform with a public REST API allowing integration with your CI/CD pipeline, and enabling other security analysis tools to build on the Xray platform to leverage its unique recursive scanning capabilities. This API also supports the addition of custom scanning capabilities, for performance, quality, popularity, or any other criteria required.

Powerful REST API

Automation through an open API allowing you to:
  • Get a summary of your security vulnerabilities and licenses discovered for your artifacts and builds.

  • Compare components differences between build and artifact versions.

CI/CD Integration

> Native integration with leading CI servers including Jenkins and TeamCity.
> Automatically scan builds as part of your supply chain, and approve or fail them in case of security vulnerabilities or license policy violations.
> Scan your builds with JFrog CLI directly from any on-prem or cloud CI server like Travis and CircleCI.

IDE Integration

> Integration with IntelliJ IDEA providing you with critical insights as early as in the development phase, making it even less likely for vulnerable components to ever reach production.
> Developers can see a detailed analysis of any dependency components they include in their software, giving them the power to assess whether to use them or not.
> Get instant information on newly introduced dependencies that can potentially be identified as vulnerable if they contain any restrictive licensing or security issues.

Release Fast Or Die