JFrog

The plugin allows developers to find and fix security vulnerabilities in their projects and to see valuable information about the status of their code by continuously scanning it locally with the JFrog Platform.

Software Composition Analysis (SCA)

Scan your project dependencies for security issues. The plugin offers an automatic upgrade of the vulnerable dependencies to versions which include fixes.

CVE Research and Enrichment

For selected security issues, get leverage-enhanced CVE data that is provided by our JFrog Security Research team. Prioritize the CVEs based on:

• JFrog Severity: The severity given by the JFrog Security Research team after the manual analysis of the CVE by the team. CVEs with the highest JFrog security severity are the most likely to be used by real-world attackers. This means that you should put effort into fixing them as soon as possible.
• Research Summary: The summary that is based on JFrog's security analysis of the security issue provides detailed technical information on the specific conditions for the CVE to be applicable.
• Remediation: Detailed fix and mitigation options for the CVEs.

Check out what our research team is up to and stay updated on newly discovered issues by clicking on this link: https://research.jfrog.com

Advanced Scans

Vulnerability Contextual Analysis: This feature uses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code. Vulnerability Contextual Analysis is currently supported for Python, JavaScript, and Java code.

Secrets Detection: Prevent the expose of keys or credentials that are stored in your source code.

Infrastructure as Code (IaC) Scans: Secure your IaC files. Critical to keeping your cloud deployment safe and secure.

Advanced Scans require Xray version 3.66.5 or above and Enterprise X / Enterprise+ subscription with Advanced DevSecOps.

For more information about the plugin see the README.