Github Prerequisites

• Go to your repository's settings tab and save the JFrog connection details as repository secrets with the following names:

  • JF_URL (JFrog Platform URL - Example: https://acme.jfrog.io)

  • JF_ACCESS_TOKEN (JFrog access token)

  • JF_GIT_TOKEN (GitHub access token - Read note below)

You can also use JF_XRAY_URL and JF_ARTIFACTORY_URL instead of JF_URL, and JF_USER + JF_PASSWORD instead of JF_ACCESS_TOKEN

You can utilize ${{secrets.GITHUB_TOKEN}} for JF_GIT_TOKEN, which is an automatically generated token by GitHub. However, this option comes with a limitation: a workflow, such as Frogbot itself, cannot trigger another workflow. Consequently, if you have additional workflows intended to activate upon the creation of a new pull request, they might not be initiated. To resolve this issue, you can generate a personal access token and use it as JF_GIT_TOKEN.

• Under Actions > General, check the Allow GitHub Actions to create and approve pull requests check box.

• For open-source projects: Create a new GitHub environment called frogbot and add people or public teams as reviewers. The chosen reviewers can trigger Frogbot scans on pull requests.

Frogbot GitHub Action Templates

1. Begin by cloning the GitHub repository to your local environment.

2. Switch to the target branch where you'd like the pull requests to be scanned.

3. Create a file named frogbot-scan-pull-request.yml. Fill it with the provided template, and then push it into the .github/workflows directory at the root of your GitHub repository.

4. Return to the default branch.

5. Now, create a file named frogbot-scan-repository.yml. Again, populate it with the provided template and push it into the .github/workflows directory at the root of your GitHub repository.