Scan your Source Code

The jf audit command allows scanning your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The command builds a deep dependencies graph for your project, scans it with Xray, and displays the results. It uses the package manager used by the project to build the dependencies graph. Currently, the following package managers are supported.

  • Maven (mvn) - Version 3.1.0 or above of Maven is supported.

  • Gradle (gradle)

  • Npm (npm)

  • Pnpm (pnpm)

  • Yarn (yarn)

  • Pip (pip)

  • Pipenv (pipenv)

  • Poetry (poetry)

  • Go Modules (go)

  • NuGet (nuget)

  • .NET Core CLI (dotnet)

The command will detect the package manager used by the project automatically. It requires version 3.29.0 or above of Xray and also version 2.13.0 or above of JFrog CLI.

Advanced Scans

This command also supports the following Advanced Scans with the Advanced Security Package enabled on the JFrog Platform instance. To enable the Advanced Security Package, contact us using this form.

  • Vulnerability Contextual Analysis: This feature uses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code. Vulnerability Contextual Analysis is currently supported for Python, Go and JavaScript code.

  • Secrets Detection: Detect any secrets left exposed inside the code. to stop any accidental leak of internal tokens or credentials.

  • Infrastructure as Code scans (IaC): Scan Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations.

Note

  • The jf audit command does not extract the internal content of the scanned dependencies. This means that if a package includes other vulnerable components bundled inside the binary, they may not be shown as part of the results. This is contrary to the jf scan command, which drills down into the package content.

  • To generate the dependency tree for scanning purposes, the system will execute an install command on the project if it hasn't been executed previously.

Commands Params

Output Example

Example 1

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.

jf audit

Example 2

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray. Show only maven and npm vulnerabilities.

jf audit --mvn --npm

Example 3

Audit the project at the current directory using a watch named watch1 watch defined in Xray.

jf audit --watches "watch1"

Example 4

Audit the project at the current directory using watch1 and _watch2_ defined in Xray.

jf audit --watches "watch1,watch2"

Example 5

Audit the project at the current directory using the policies defined for project-1.

jf audit --project "project-1"

Example 6

Audit the project at the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.

jf audit --repo-path "libs-local/release-artifacts/"

Example 7

Audit the project in the current directory, excluding all files inside the node_modules directory and files with the to_exclude suffix.

jf audit --exclusions "*node_modules*;*to_exclude"
PreviousAuthenticationNextcUrl Integration

Last updated

© 2024 JFrog Ltd All Rights Reserved