Scan your Binaries
Last updated
Last updated
© 2024 JFrog Ltd All Rights Reserved
The on-demand binary scanning enables you to point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory.
This jf scan command scans files on the local file system with Xray.
Note
This command requires:
Version 3.29.0 or above of Xray
Version 2.1.0 or above of JFrog CLI
Scans all the files located at the path/ti/files/ file-system directory using the watch1 watch defined in Xray.
Scans all the files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.
Scans all the zip files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.
Scans all the tgz files located at the path/ti/files/ file-system directory using the policies defined for project-1.
Scans all the tgz files located in the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.
Scans all the tgz files located at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.
This jf docker scan command scans docker containers located on the local file-system using the docker client and JFrog Xray. The containers don't need to be deployed to Artifactory or any other container registry before it can be scanned.
Note
This command requires:
Version 3.40.0 or above of Xray
Version 2.11.0 or above of JFrog CLI
Scan the local reg1/repo1/img1:1.0.0 container and show all known vulnerabilities, regardless of the policies defined in Xray.
Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-project JFrog project.
Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-watch Xray Watch.
Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with the releases-local/app1/ path in Artifactory.
The ‘scan’ command can be used to scan tarballs of Docker and OCI images on the local file system.
It requires saving the image on the file system as an uncompressed tarball using a compliant tool, and then scanning it with the ‘jf s’ command. The image must be saved to the file system uncompressed, in a <name>.tar file name.
Note
This command requires:
Version 3.61.5 or above of Xray.
Version 2.14.0 or above of JFrog CLI.
Use Docker client ‘docker save’ command to save the image to the file system for scanning.
Example:
Use Skopeo CLI to save an image to the file system. Output image can be either OCI or Docker format.
Example:
Use Podman CLI to save an image to the file system. Output image can be either OCI or Docker format.
Example:
Use Kaniko ‘--tarPath’ flag to save built images to the file system, and later scan them with JFrog CLI. The example below is running Kaniko in Docker.
Example:
Command name
scan
Abbreviation
s
Command options
--server-id
[Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used.
--spec
[Optional] Path to a file specifying the files to scan. If the pattern argument is provided to the command, this option should not be provided.
--project
[Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.
--repo-path
[Optional] Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.
--watches
[Optional] A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.
--licenses
[Default: false] Set if you also require the list of licenses to be displayed.
--format=json
[Optional] Produces a JSON file containing the scan results.
--vuln
[Optional] Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.
Command arguments
Pattern
Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards.
Command name
docker scan
Abbreviation
Command options
--server-id
[Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used.
--project
[Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.
--repo-path
[Optional] Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.
--watches
[Optional] A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.
--licenses
[Default: false] Set if you also require the list of licenses to be displayed.
--validate-secrets
[Default: false] Triggers token validation on found secrets
--format=json
[Optional] Produces a JSON file containing the scan results.
--vuln
[Optional] Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.
Command arguments
Pattern
Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards.