Need help with other JFrog products?
JFrog Platform
JFrog Artifactory
JFrog Xray
JFrog Mission Control
JFrog Distribution
[JFrog Pipelines]
JFrog Access
Execute a cUrl command, using the configured Xray details. The command expects the cUrl client to be included in the PATH.
Command name | xr curl |
Abbreviation | xr cl |
Command options | |
--server-id | [Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used. |
Command arguments | |
cUrl arguments and flags | The same list of arguments and flags passed to cUrl, except for the following changes:
|
Example 1
Execute the cUrl client, to sent a GET request to the /api/system/version endpoint to the default configured Xray server.
jf xr curl -XGET /api/v1/system/version
Example 2
Execute the cUrl client, to send a GET request to the /api/v1/system/version endpoint to the configured my-xr-server server ID.
jf rt curl -XGET /api/v1/system/version --server-id my-xr-server
The offline-update command downloads updates to the for Xray's vulnerabilities database. The Xray UI allows building the command structure for you.
Command name | xr offline-update |
Abbreviation | xr ou |
Command options | |
--license-id | [Mandatory] Xray license ID. |
--from | [Optional] From update date in YYYY-MM-DD format. |
--to | [Optional] To update date in YYYY-MM-DD format. |
--version | [Optional] Xray API version. |
--target | [Default: ./] Path for downloaded update files. |
--dbsyncv3 | [Default: false] Set to true to use Xray DBSync V3. |
--periodic | [Default: false] Set to true to get the Xray DBSync V3 Periodic Package (Use with dbsyncv3 flag). |
Command arguments | The command accepts no arguments. |
The on-demand binary scanning enables you to point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory.
This jf scan command scans files on the local file-system with Xray.
This command requires:
Command name | scan |
Abbreviation | s |
Command options | |
--server-id | [Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used. |
--spec | [Optional] Path to a file specifying the files to scan. If the pattern argument is provided to the command, this option should not be provided. |
--project | [Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities. |
--repo-path | [Optional] Artifactory repository path in the form of <repository>/<path in the repository>, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities. |
--watches | [Optional] A comma separated list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities. |
--licenses | [Default: false] Set if you also require the list of licenses to be displayed. |
--format=json | [Optional] Produces a JSON file containing the scan results. |
Command arguments | |
Pattern | Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards. |
Output Example
Examples
Example 1
Scans all the files located at the path/ti/files/ file-system directory using the watch1 watch defined in Xray.
jf s "path/to/files/" --watches "watch1"
Example 2
Scans all the files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.
jf s "path/to/files/" --watches "watch1,watch2"
Example 3
Scans all the zip files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.
jf s "path/to/files/*.zip" --watches "watch1,watch2"
Example 4
Scans all the tgz files located at the path/ti/files/ file-system directory using the policies defined for project-1.
jf s "path/to/files/*.tgz" --project "project-1"
Example 5
Scans all the tgz files located in the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.
jf s "*.tgz" --repo-path "libs-local/release-artifacts/"
Example 6
Scans all the tgz files located at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.
jf s "*.tgz"
This jf docker scan command scans docker containers located on the local file-system using the docker client and JFrog Xray. The containers doesn't need to be deployed to Artifactory or any other container registry before it can be scanned.
This command requires:
Command name | docker scan |
Abbreviation | |
Command options | |
--server-id | [Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used. |
--project | [Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities. |
--repo-path | [Optional] Artifactory repository path in the form of <repository>/<path in the repository>, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities. |
--watches | [Optional] A comma separated list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities. |
--licenses | [Default: false] Set if you also require the list of licenses to be displayed. |
--format=json | [Optional] Produces a JSON file containing the scan results. |
Command arguments | |
Pattern | Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards. |
Output Example
Examples
Example 1
Scan the local reg1/repo1/img1:1.0.0 container and show all known vulnerabilities, regardless of the policies defined in Xray.
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE reg1/repo1/img1 1.0.0 6446ea57df7b 19 months ago 5.57MB $ $ jf docker scan reg1/repo1/img1:1.0.0
Example 2
Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-project JFrog project.
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE reg1/repo1/img1 1.0.0 6446ea57df7b 19 months ago 5.57MB $ $ jf docker scan reg1/repo1/img1:1.0.0 --project my-project
Example 3
Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-watch Xray Watch.
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE reg1/repo1/img1 1.0.0 6446ea57df7b 19 months ago 5.57MB $ $ jf docker scan reg1/repo1/img1:1.0.0 --watches my-watch
Example 4
Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with releases-local/app1/ path in Artifactpry.
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE reg1/repo1/img1 1.0.0 6446ea57df7b 19 months ago 5.57MB $ $ jf docker scan reg1/repo1/img1:1.0.0 --repo-path releases-local/app1/
The ‘scan
’ command can be used to scan tarballs of Docker and OCI images on the local file system.
It requires saving the image on the file system as an uncompressed tarball using a compliant tool, and then scan it with the ‘jf s
’ command. The image must be saved to the file-system uncompressed, in a <name>.tar
file name.
This command requires:
docker save
’ command to save the image to the file system for scanning.Example:
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE my-image 1.0.0 aaaaabbcccddd 2 months ago 1.12MB $ docker save --output my-image-docker.tar my-image:1.0.0 $ jf s my-image-docker.tar
Use Skopeo CLI to save an image to the file system. Output image can be either OCI or Docker format.
Example:
$ docker images REPOSITORY TAG IMAGE ID CREATED SIZE my-image 1.0.0 aaaaabbcccddd 2 months ago 1.12MB // Scan an image in Docker format $ skopeo copy docker-daemon:my-image:1.0.0 docker-archive:my-image-docker.tar $ jf s my-image-docker.tar // Scan an image in OCI format $ skopeo copy docker-daemon:my-image:1.0.0 oci-archive:my-image-oci.tar $ jf s my-image-oci.tar
Use Podman CLI to save an image to the file system.Output image can be either OCI or Docker format.
Example:
$ podman images REPOSITORY TAG IMAGE ID CREATED SIZE my-image 1.0.0 aaaaabbcccddd 2 months ago 1.12MB // Scan an image in Docker format $ podman save --format=docker-archive -o my-image-docker.tar my-image:1.0.0 $ jf s my-image-docker.tar // Scan an image in OCI format $ podman save --format=oci -o my-image-oci.tar my-image:1.0.0 $ jf s my-image-oci.tar
Use Kaniko ‘--tarPath’
flag to save built images to the file system, later scan them with JFrog CLI. The example below is running Kaniko in Docker.
Example:
$ cat Dockerfile FROM alpine:3.16 $ docker run -it --rm -v $(pwd):/workspace gcr.io/kaniko-project/executor:v1.8.1-debug -f Dockerfile --no-push --tarPath my-image.tar -d my-image:1.0 -c . --cleanup $ jf s my-image.tar
The jf audit command allows scanning your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The command builds a deep dependencies graph for your project, scans it with Xray, and displays the results. It uses the package manager used by the project to build the dependencies graph. Currently the following package managers are supported.
The command will detect the package manager used by the project automatically. It requires version 3.29.0 or above of Xray and also version 2.13.0 or above of JFrog CLI.
Command name | audit |
Abbreviation | aud |
Command options | |
--server-id | [Optional] Server ID configured using the jf c add command. If not specified, the default configured server is used. |
--project | [Optional] JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities |
--repo-path | [Optional] Artifactory repository path in the form of <repository>/<path in the repository>, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities |
--watches | [Optional] A comma separated list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities |
--licenses | [Default: false] Set if you'd also like the list of licenses to be displayed. |
--format | [Default: table] Defines the output format of the command. Acceptable values are: table and json. |
--fail | [Default: true] Set to false if you do not wish the command to return exit code 3, even if the 'Fail Build' rule is matched by Xray. |
--use-wrapper | [Default: false] [Gradle] Set to true if you'd like to use the Gradle wrapper. |
--dep-type | [Default: all] [npm] Defines npm dependencies type. Possible values are: all, devOnly and prodOnly |
--exclude-test-deps | [Default: false] [Gradle] Set to true if you'd like to exclude Gradle test dependencies from Xray scanning. |
--requirements-file | [Optional] [Pip] Defines pip requirements file name. For example: 'requirements.txt' |
--working-dirs | [Optional] A comma separated list of relative working directories, to determine the audit targets locations. |
--go | [Default: false] Set to true to request audit for a Go project. |
--gradle | [Default: false] Set to true to request audit for a Gradle project. |
--mvn | [Default: false] Set to true to request audit for a Maven project. |
--npm | [Default: false] Set to true to request audit for a npm project. |
--nuget | [Default: false] Set to true to request audit for a .Net project. |
--pip | [Default: false] Set to true to request audit for a Pip project. |
--pipenv | [Default: false] Set to true to request audit for a Pipenv project. |
--yarn | [Default: false] Set to true to request audit for a Yarn 2+ project. |
Command arguments | The command accepts no arguments |
Example 1
Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.
jf audit
Example 2
Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray. Show only maven and npm vulnerabilities
jf audit --mvn --npm
Example 3
Audit the project at the current directory using a watch named watch1 watch defined in Xray.
jf audit --watches "watch1"
Example 4
Audit the project at the current directory using watch1 and watch2 defined in Xray.
jf audit --watches "watch1,watch2"
Example 5
Audit the project at the current directory using the policies defined for project-1.
jf audit --project "project-1"
Example 6
Audit the project at the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.
jf audit --repo-path "libs-local/release-artifacts/"
JFrog CLI is integrated with JFrog Xray and JFrog Artifactory, allowing you to have your build artifacts and dependencies scanned for vulnerabilities and license violations. This command allows scanning a build, which had already been published to Artifactory using the build-publish command.
Command name | build-scan |
Abbreviation | bs |
Command options | |
--server-id | [Optional] Server ID configured by the jf c add command. If not specified, the default configured server is used. |
--vuln | [Optional] Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray. |
--fail | [Default: true] When set, the command returns exit code 3 if a 'Fail Build' rule is matched by Xray. |
--format | [Default: table] Defines the output format of the command. The accepted values are: table and json. |
--project | [Optional] JFrog project key |
--rescan | [Default: false] Set to true when scanning an already successfully scanned build, for example after adding an ignore rule. |
Command arguments | The command accepts two arguments. |
Build name | Build name to be scanned. |
Build number | Build number to be scanned. |
jf bs my-build-name 18