JFrog Xray

JFrog XRay is a container scanning component that runs alongside the JFrog Artifactory platform. When containers are submitted to the Artifactory, XRay will examine their composition and provenance and raise any issues that it finds. This is done via static analysis and not at runtime.

Security Stage SCA (Source Composition Analysis)
Type Proprietary (Cloud and On-premises available)
Frameworks Containers



1 You'll need an account with an existing JFrog system, either a cloud account, or on-premise
2 Details of a container image that has been added to JFrog Artifactory

How do I set it up?

Adding JFrog XRay to your set of security tests is simple. You will add this testing tool to a version (security stage) that is set up to run static code analysis tests.

Our JFrog XRay tool will pull its configuration from the Container information stored against the Application Version you are looking to test. To get it up and running, complete the following process:

  • Ensure you have a valid Container configuration associated with your Application Version
    • Follow the steps in "Adding container configuration to your application version" to get this sorted
    • If your JFrog XRay instance is protected with authentication, make sure you complete the "How to Add A Connection to a Private Container Repository" section, as the tool will use this information to query for the Container's vulnerabilities.
  • Open the "Test Tools" tab for the version you wish to scan with JFrog XRay
  • Click "Add Tool" for the JFrog XRay card

Screenshot 2021-10-05 at 17.03.25

  • Click "Save" at the bottom of the page

Now any time you click 'Test Now' for that application version, or make a request over the Uleska API or CLI for that version, the JFrog XRay tool will query the XRay platform, and pull back any issues discovered. These issues will be processed as normal (de-duped and any false positives removed) and will be added to your vulnerabilities list.