JFrog Xray is an enterprise grade software composition analysis (SCA) tool that provides organizations with a simple way to identify, prioritize and remediate security vulnerabilities and license compliance issues in open source software (OSS) and third party components.
Easily identify, prioritize and remediate vulnerabilities in your open source packages and binaries by performing continuous scanning of repositories, build packages, and container images throughout the development cycle. Discover security threats early to reduce risk, speed up fixes and save costs
Seamlessly integrate with developer tools, enabling efficient and automated protection of code with minimal impact on build times. View vulnerable dependencies with remediation options and context directly in your IDE/CLI. Automate your pipeline with JFrog’s CLI tool for dependency, container and on-demand scans.
Get full visibility into direct and indirect dependencies with automatically-generated software bill of materials (SBOMs). Detect and resolve open source licensing issues before they manifest in production, and easily create policies to enforce regulations and generate compliance reports of all your OSS licenses.
Access additional data on OSS components to evaluate operational risk. Create custom policies to block packages based on risk factors such as version age, number of contributors, maintenance cadence, number of commits, and end-of-life.
Proactively drive security posture with in-depth CVE findings and vulnerability data from JFrog's dedicated Security Research Team. Gain a better understanding of the actual risk, prioritize high-profile CVEs, and accelerate remediation with effective resource allocation.
Automatically discover and eliminate malicious packages and components using JFrog’s extended database of over 4M OSS packages, sourced with information from public advisories and JFrog’s Security Research Team. Get actionable out-of-the-box mitigation and remediation steps to minimize risk.
With JFrog Advanced Security development teams can scan while they code, while DevOps and Security teams can govern and set security gatekeepers on binaries – All using JFrog’s advanced scanners to efficiently prioritize and reduce security noise.
JFrog’s Security Research team of 20+ certified engineers carry out groundbreaking research in software supply chain security, uncovering and disclosing new OSS vulnerabilities, analyzing novel attack methods, and providing the community and customers with timely support through OSS tools.
Yes, Xray is a core component of the JFrog Platform, just like Artifactory. This seamless integration allows Xray to work hand in hand with Artifactory, sharing extensive metadata between both products. As a result, you not only gain deep insights into security issues but also understand their full scope, enabling more effective risk assessment and remediation.
You have Xray if your SaaS (Cloud) or Self-Hosted subscription is Pro X, Enterprise X or Enterprise+.
Xray supports over 25 package types and technologies, including popular ones like Docker, Maven, PyPI, npm, and NuGet. Just like Artifactory, Xray is universal and highly versatile, allowing you to store all these different package types in one place. More importantly, it enables you to scan your builds, containers, and stored artifacts, identifying potential security risks and vulnerabilities arising from open-source dependencies.
Yes, Xray performs deep, recursive scans to analyze all layers of an image, identifying every component within each layer. This provides a comprehensive list of all dependencies in use. Additionally, it allows you to detect any components that may violate existing policy conditions, ensuring compliance and security.
Yes, Xray can scan both your images and built artifacts as they are uploaded to Artifactory. Additionally, it captures metadata from the build process (build info), which can be published back to the JFrog Platform for further analysis. By scanning directly from the build info, you gain complete visibility into all dependencies involved in a specific build, helping you assess potential security risks and ensure compliance.
Xray’s shift-left approach seamlessly integrates with all major IDEs commonly used by developers today. It offers plugins for VS Code, IntelliJ, Visual Studio, PyCharm, and more, enabling early detection of security vulnerabilities and compliance issues directly within the development environment.
Yes, Xray fully supports multiple policies, and many of our customers utilize this capability to enforce security and compliance across their repositories. Policies can be applied to multiple repositories, ensuring comprehensive coverage of critical assets. By setting up policies in advance, Xray proactively identifies and highlights issues as they arise, helping you maintain security and compliance effortlessly.
Yes, just as Artifactory seamlessly integrates with CI servers like GitHub, Jenkins, and Azure, Xray can be incorporated into your CI/CD pipelines as well. By adding Xray scans as a step in your pipeline scripts, you can automatically detect security vulnerabilities and compliance issues early in the development cycle, ensuring a more secure and reliable software delivery process.
Yes, updates happen automatically, typically once a day. However, in the event of a security incident, we accelerate updates, rolling out updates as frequently as needed. As we gather more insights about the incident, we ensure our users receive the latest threat intelligence in real time, keeping them equipped to respond effectively to emerging security risks.
