JFrog Xray

JFrog XRay is a container scanning component that runs alongside the JFrog Artifactory platform. When containers are submitted to the Artifactory, XRay will examine their composition and provenance and raise any issues that it finds. This is done via static analysis and not at runtime.

Security Stage SCA (Source Composition Analysis)
Type Proprietary (Cloud and On-premises available)
Frameworks Containers
Site https://jfrog.com/xray/



1 You'll need an account with an existing JFrog system, either a cloud account, or on-premise
2 Details of a container image that has been added to JFrog Artifactory

How do I set it up?

Adding JFrog XRay to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

Our JFrog XRay tool will pull its configuration from the Container information stored against the Application Version you are looking to test. To get it up and running, complete the following process:

  • Ensure you have a valid Container configuration associated with your Application Version
    • Follow the steps in "Adding container configuration to your application version" to get this sorted
    • If your JFrog XRay instance is protected with authentication, make sure you complete the "How to Add A Connection to a Private Container Repository" section, as the tool will use this information to query for the Container's vulnerabilities.
  • Click 'Save'

  • Create a new Toolkit (or edit an existing one) by following the Creating a Toolkit guide and selecting 'JFrog XRAY' as a tool.


  • Click "Save

Now any time you click 'Test Now' with that ToolKit, or make a request over the Uleska API or CLI with that ToolKit, the JFrog XRay tool will query the XRay platform, and pull back any issues discovered. These issues will be processed as normal (de-duped and any false positives removed) and will be added to your vulnerabilities list.