Scan your Source Code

The jf audit command allows scanning your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The command builds a deep dependencies graph for your project, scans it with Xray, and displays the results. It uses the package manager used by the project to build the dependencies graph. Currently, the following package managers are supported.

Maven (mvn) - Version 3.1.0 or above of Maven is supported.
Gradle (gradle)
Npm (npm)
Pnpm (pnpm)
Yarn (yarn)
Pip (pip)
Pipenv (pipenv)
Poetry (poetry)
Go Modules (go)
NuGet (nuget)
.NET Core CLI (dotnet)
CocoaPods (pod)
SwiftPM (swift)

The command will detect the package manager used by the project automatically. It requires version 3.29.0 or above of Xray and also version 2.13.0 or above of JFrog CLI.

Advanced Scans

This command also supports the following Advanced Scans with the Advanced Security Package enabled on the JFrog Platform instance. To enable the Advanced Security Package, contact us using this form.

Vulnerability Contextual Analysis: This feature uses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code. Vulnerability Contextual Analysis is currently supported for Python, Go and JavaScript code.
Secrets Detection: Detect any secrets left exposed inside the code. to stop any accidental leak of internal tokens or credentials.
Infrastructure as Code scans (IaC): Scan Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations.

Note

The jf audit command does not extract the internal content of the scanned dependencies. This means that if a package includes other vulnerable components bundled inside the binary, they may not be shown as part of the results. This is contrary to the jf scan command, which drills down into the package content.
To generate the dependency tree for scanning purposes, the system will execute an install command on the project if it hasn't been executed previously.

Commands Params

Command name

Default

Description

audit, aud

Executes all following sub-scans: SCA (Software Composition Analysis) + Contextual Analysis, SAST, IaC, and Secrets.

Command options

--help

Displays information about each of the jf audit command's options.

--server-id

Default server

[Optional] Server ID configured using the jf c add command.

--project

[Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--repo-path

[Optional] Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--watches

[Optional] A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--licenses

false

Set if you'd also like the list of licenses to be displayed.

--format

table

Defines the output format of the command. Acceptable values are: table and json.

--fail

true

When using one of the flags --watches, --project, or --repo-path and a Fail build rule is matched the command will return exit code 3. Set to false if you want to see violations with exit code 0.

--use-wrapper

false

[Gradle] Set to true if you'd like to use the Gradle wrapper.

--dep-type

all

[npm] Defines npm dependency types. Acceptable values are: all, devOnly and prodOnly

--exclude-test-deps

false

[Gradle] Set to true if you'd like to exclude Gradle test dependencies from Xray scanning.

--requirements-file

[Optional] [Pip] Defines pip requirements file name. For example: 'requirements.txt'

--working-dirs

[Optional] A comma-separated(,) list of relative working directories, to determine the audit targets locations.

If flag isn't provided, a recursive scan is triggered from the root directory of the project.

--exclusions

.git;node_modules;target;venv;test

List of semicolon-separated(;) exclusions, utilized to skip sub-projects from undergoing an audit. These exclusions may incorporate the * and ? wildcards.

--fixable-only

[Optional] Set to true if you wish to display issues that have a fix version only.

--min-severity

[Optional] Set the minimum severity of issues to display. Acceptable values: Low, Medium, High, or Critical

--threads

3

The number of parallel threads used to scan the source code project.

--go

false

Set to true to request audit for a Go project.

--gradle

false

Set to true to request audit for a Gradle project.

--mvn

false

Set to true to request audit for a Maven project.

--npm

false

Set to true to request audit for a npm project.

--pnpm

false

Set to true to request audit for a pnpm project.

--nuget

false

Set to true to request audit for a .Net project.

--pip

false

Set to true to request audit for a Pip project.

--pipenv

false

Set to true to request audit for a Pipenv project.

--yarn

false

Set to true to request audit for a Yarn project.

--sca

false

Selective scanners mode

Executes SCA (Software Composition Analysis) sub-scan. Use --sca to run both SCA and Contextual Analysis. Use --sca --without-contextual-analysis to to run SCA. Can be combined with --secrets, --sast, --iac.

--iac

false

Selective scanners mode

Executes IaC sub-scan. Can be combined with --sca, --secrets and --sast.

--secrets

false

Selective scanners mode

Executes Secrets sub-scan. Can be combined with --sca, --sast, and --iac.

--sast

false

Selective scanners mode

Executes SAST sub-scan. Can be combined with --sca, --secrets, and --iac.

--without-contextual-analysis

false

Selective scanners mode

Disable Contextual Analysis scanner after SCA. Relevant only with --sca flag.

--vuln

[Optional] Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.

--validate-secrets

false

Triggers token validation on found secrets

Command arguments

The command accepts no arguments

Output Example

Example 1

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.

jf audit

Example 2

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray. Show only maven and npm vulnerabilities.

jf audit --mvn --npm

Example 3

Audit the project at the current directory using a watch named watch1 watch defined in Xray.

jf audit --watches "watch1"

Example 4

Audit the project at the current directory using watch1 and _watch2_ defined in Xray.

jf audit --watches "watch1,watch2"

Example 5

Audit the project at the current directory using the policies defined for project-1.

jf audit --project "project-1"

Example 6

Audit the project at the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.

jf audit --repo-path "libs-local/release-artifacts/"

Example 7

Audit the project in the current directory, excluding all files inside the node_modules directory and files with the to_exclude suffix.

jf audit --exclusions "*node_modules*;*to_exclude"

PreviousAuthentication NextcUrl Integration

Last updated 4 days ago