Scan your Binaries

The on-demand binary scanning enables you to point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory.

Scanning Files on the Local File System

This jf scan command scans files on the local file system with Xray.


Note

This command requires:

  • Version 3.29.0 or above of Xray

  • Version 2.1.0 or above of JFrog CLI


Commands Params

Example 1

Scans all the files located at the path/ti/files/ file-system directory using the watch1 watch defined in Xray.

jf s "path/to/files/" --watches "watch1"

Example 2

Scans all the files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.

jf s "path/to/files/" --watches "watch1,watch2"

Example 3

Scans all the zip files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.

jf s "path/to/files/*.zip" --watches "watch1,watch2"

Example 4

Scans all the tgz files located at the path/ti/files/ file-system directory using the policies defined for project-1.

jf s "path/to/files/*.tgz" --project "project-1"

Example 5

Scans all the tgz files located in the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.

jf s "*.tgz" --repo-path "libs-local/release-artifacts/"

Example 6

Scans all the tgz files located at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.

jf s "*.tgz"

Scanning Docker Containers on the Local File System

This j_f docker scan_ command scans docker containers located on the local file-system using the docker client and JFrog Xray. The containers don't need to be deployed to Artifactory or any other container registry before it can be scanned.


Note

This command requires:

  • Version 3.40.0 or above of Xray

  • Version 2.11.0 or above of JFrog CLI


Commands Params

Example 1

Scan the local reg1/repo1/img1:1.0.0 container and show all known vulnerabilities, regardless of the policies defined in Xray.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0

Example 2

Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-project JFrog project.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0 --project my-project

Example 3

Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-watch Xray Watch.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0 --watches my-watch

Example 4

Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with the releases-local/app1/ path in Artifactory.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0 --repo-path releases-local/app1/

Scanning Image Tarballs on the Local File System

The ‘scan’ command can be used to scan tarballs of Docker and OCI images on the local file system.

It requires saving the image on the file system as an uncompressed tarball using a compliant tool, and then scanning it with the ‘jf s’ command. The image must be saved to the file system uncompressed, in a <name>.tar file name.


Note

This command requires:

  • Version 3.61.5 or above of Xray.

  • Version 2.14.0 or above of JFrog CLI.


Docker Client

Use Docker client ‘docker save’ command to save the image to the file system for scanning.

Example:

$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
my-image 1.0.0 aaaaabbcccddd 2 months ago 1.12MB

$ docker save --output my-image-docker.tar my-image:1.0.0
$ jf s my-image-docker.tar

Skopeo

Use Skopeo CLI to save an image to the file system. Output image can be either OCI or Docker format.

Example:

$ docker images
REPOSITORY TAG IMAGE ID CREATED SIZE
my-image 1.0.0 aaaaabbcccddd 2 months ago 1.12MB

// Scan an image in Docker format
$ skopeo copy docker-daemon:my-image:1.0.0 docker-archive:my-image-docker.tar
$ jf s my-image-docker.tar

// Scan an image in OCI format
$ skopeo copy docker-daemon:my-image:1.0.0 oci-archive:my-image-oci.tar
$ jf s my-image-oci.tar

Podman

Use Podman CLI to save an image to the file system. Output image can be either OCI or Docker format.

Example:

$ podman images
REPOSITORY TAG IMAGE ID CREATED SIZE
my-image 1.0.0 aaaaabbcccddd 2 months ago 1.12MB

// Scan an image in Docker format
$ podman save --format=docker-archive -o my-image-docker.tar my-image:1.0.0
$ jf s my-image-docker.tar

// Scan an image in OCI format
$ podman save --format=oci -o my-image-oci.tar my-image:1.0.0
$ jf s my-image-oci.tar

Kaniko

Use Kaniko ‘--tarPath’ flag to save built images to the file system, and later scan them with JFrog CLI. The example below is running Kaniko in Docker.

Example:

$ cat Dockerfile

FROM alpine:3.16

$ docker run -it --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.8.1-debug -f Dockerfile --no-push --tarPath my-image.tar -d my-image:1.0 -c . --cleanup

$ jf s my-image.tar

Last updated

© 2024 JFrog Ltd All Rights Reserved