Pull Request Scan Results
Last updated
Last updated
© 2024 JFrog Ltd All Rights Reserved
Frogbot adds the scan results to the pull request in the following format:
If no new vulnerabilities are found, Frogbot automatically adds the following comment to the pull request:
Software Composition Analysis (SCA)
If new vulnerabilities are found, Frogbot adds them as a comment on the pull request. For example:
VULNERABLE DEPENDENCIES
| SEVERITY | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY | FIXED VERSIONS |
|---|---|---|---|---|
Not Applicable | minimist:1.2.5 | minimist:1.2.5 | [0.2.4] [1.2.6] | |
Applicable | protobufjs:6.11.2 | protobufjs:6.11.2 | [6.11.3] | |
Not Applicable | lodash:4.17.19 | lodash:4.17.19 | [4.17.21] |
Vulnerability Contextual Analysis
Static Application Security Testing (SAST)
Infrastructure as Code scans (IaC)
Validate Allowed Licenses
When Frogbot scans newly opened pull requests, it checks the licenses of any new direct project dependencies introduced by the pull request. If Frogbot identifies licenses that are not listed in a predefined set of approved licenses, it appends a comment to the pull request providing this information. The list of allowed licenses is set up as a variable within the Frogbot workflow.
When Frogbot detects secrets that have been inadvertently exposed within the code of a pull request, it promptly triggers an email notification to the user who pushed the corresponding commit. The email address utilized for this notification is sourced from the committer's Git profile configuration. Moreover, Frogbot offers the flexibility to direct the email notification to an extra email address if desired. To activate email notifications, it is necessary to configure your SMTP server details as variables within your Frogbot workflows.
xx
Critical
High
High
