Scan your Source Code

The jf audit command allows scanning your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The command builds a deep dependencies graph for your project, scans it with Xray, and displays the results. It uses the package manager used by the project to build the dependencies graph. Currently, the following package managers are supported.

  • Maven (mvn) - Version 3.1.0 or above of Maven is supported.

  • Gradle (gradle)

  • Npm (npm)

  • Pnpm (pnpm)

  • Yarn (yarn)

  • Pip (pip)

  • Pipenv (pipenv)

  • Poetry (poetry)

  • Go Modules (go)

  • NuGet (nuget)

  • .NET Core CLI (dotnet)

The command will detect the package manager used by the project automatically. It requires version 3.29.0 or above of Xray and also version 2.13.0 or above of JFrog CLI.

Advanced Scans

This command also supports the following Advanced Scans with the Advanced Security Package enabled on the JFrog Platform instance. To enable the Advanced Security Package, contact us using this form.

  • Vulnerability Contextual Analysis: This feature uses the code context to eliminate false positive reports on vulnerable dependencies that are not applicable to the code. Vulnerability Contextual Analysis is currently supported for Python and JavaScript code.

  • Secrets Detection: Detect any secrets left exposed inside the code. to stop any accidental leak of internal tokens or credentials.

  • Infrastructure as Code scans (IaC): Scan Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations.


Note

  • The jf audit command does not extract the internal content of the scanned dependencies. This means that if a package includes other vulnerable components bundled inside the binary, they may not be shown as part of the results. This is contrary to the jf scan command, which drills down into the package content.

  • To generate the dependency tree for scanning purposes, the system will execute an install command on the project if it hasn't been executed previously.


Commands Params

Command name

audit

Abbreviation

aud

Command options

--server-id

[Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used.

--project

[Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--repo-path

[Optional] Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--watches

[Optional] A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--licenses

[Default: false] Set if you'd also like the list of licenses to be displayed.

--format

[Default: table] Defines the output format of the command. Acceptable values are: table and json.

--fail

[Default: true] When using one of the flags --watches, --project or --repo-path and a Fail build rule is matched the command will return exit code 3. Set to false if you'd like to see violations with exit code 0.

--use-wrapper

[Default: false] [Gradle] Set to true if you'd like to use the Gradle wrapper.

--dep-type

[Default: all] [npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly

--exclude-test-deps

[Default: false] [Gradle] Set to true if you'd like to exclude Gradle test dependencies from Xray scanning.

--requirements-file

[Optional] [Pip] Defines pip requirements file name. For example: 'requirements.txt'

--working-dirs

[Optional] A comma-separated(,) list of relative working directories, to determine the audit targets locations.

If flag isn't provided, a recursive scan is triggered from the root directory of the project.

--exclusions

[Default: .git;node_modules;target;venv;test] List of semicolon-separated(;) exclusions, utilized to skip sub-projects from undergoing an audit. These exclusions may incorporate the * and ? wildcards.

--fixable-only

[Optional] Set to true if you wish to display issues that have a fix version only.

--min-severity

[Optional] Set the minimum severity of issues to display. The following values are accepted: Low, Medium, High or Critical

--go

[Default: false] Set to true to request audit for a Go project.

--gradle

[Default: false] Set to true to request audit for a Gradle project.

--mvn

[Default: false] Set to true to request audit for a Maven project.

--npm

[Default: false] Set to true to request audit for a npm project.

--pnpm

[Default: false] Set to true to request audit for a pnpm project.

--nuget

[Default: false] Set to true to request audit for a .Net project.

--pip

[Default: false] Set to true to request audit for a Pip project.

--pipenv

[Default: false] Set to true to request audit for a Pipenv project.

--yarn

[Default: false] Set to true to request audit for a Yarn project.

Command arguments

The command accepts no arguments

Output Example

Example 1

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.

jf audit

Example 2

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray. Show only maven and npm vulnerabilities.

jf audit --mvn --npm

Example 3

Audit the project at the current directory using a watch named watch1 watch defined in Xray.

jf audit --watches "watch1"

Example 4

Audit the project at the current directory using watch1 and _watch2_ defined in Xray.

jf audit --watches "watch1,watch2"

Example 5

Audit the project at the current directory using the policies defined for project-1.

jf audit --project "project-1"

Example 6

Audit the project at the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.

jf audit --repo-path "libs-local/release-artifacts/"

Example 7

Audit the project in the current directory, excluding all files inside the node_modules directory and files with the to_exclude suffix.

jf audit --exclusions "*node_modules*;*to_exclude"

Last updated

© 2024 JFrog Ltd All Rights Reserved