Need help with other JFrog products?

JFrog Platform
JFrog Artifactory
JFrog Xray
JFrog Mission Control
JFrog Distribution
[JFrog Pipelines]
JFrog Access


Page tree
Skip to end of metadata
Go to start of metadata

Overview

This page describes how to use JFrog CLI with JFrog Xray.

Read more about JFrog CLI here.

Authentication

When used with Xray, JFrog CLI offers several means of authentication: JFrog CLI does not support accessing  Xray without authentication. 

Authenticating with Username and Password

To authenticate yourself using your Xray login credentials, either configure your credentials once using the jfrog c add command or provide the following option to each command.

Command optionDescription 
--urlJFrog Xray API endpoint URL. It usually ends with /xray
--userJFrog username
--passwordJFrog password

Authenticating with an Access Token

To authenticate yourself using an Xray Access Token, either configure your Access Token once using the jfrog c add command or provide the following option to each command.

Command optionDescription 
--urlJFrog Xray API endpoint URL. It usually ends with /xray
--access-tokenJFrog access token

Page Contents


General Commands

Running cUrl

Execute a cUrl command, using the configured Xray details. The command expects the cUrl client to be included in the PATH. 

Command name

xr curl

Abbreviation
xr cl
Command options


--server-id

[Optional]

Server ID configured using the jfrog c add command. If not specified, the default configured server is used.

Command arguments

cUrl arguments and flags

The same list of arguments and flags passed to cUrl, except for the following changes:

  1. The full Xray URL should not be passed. Instead, the REST endpoint URI should be sent.
  2. The login credentials should not be passed. Instead, the --server-id should be used.

Examples

Example 1

Execute the cUrl client, to sent a GET request to the /api/system/version endpoint to the default configured Xray server.

jf xr curl -XGET /api/v1/system/version

Example 2

Execute the cUrl client, to send a GET request to the /api/v1/system/version endpoint to the configured my-xr-server server ID.

jf rt curl -XGET /api/v1/system/version --server-id my-xr-server


Downloading updates for Xray's database

The offline-update command downloads updates to the for Xray's vulnerabilities database. The Xray UI allows building the command structure for you.

Command name

xr offline-update

Abbreviation
xr ou
Command options


--license-id

[Mandatory]

Xray license ID

--from

[Optional]

From update date in YYYY-MM-DD format.

--to

[Optional]

To update date in YYYY-MM-DD format.

--versio

[Optional]

Xray API version.

--target

[Default: ./]

Path for downloaded update files.

Command arguments
The command accepts no arguments.

On-Demand Binary Scan

The on-demand binary scanning enables you to point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory. 

Scanning Files on the Local File System 

This jf scan command scans files on the local file-system with Xray. 

This command requires:

  • Version 3.29.0 or above of Xray
  • Version 2.1.0 or above of JFrog CLI
Command name

scan

Abbreviation

s

Command options

--server-id

[Optional]

Server ID configured using the jfrog c add command. If not specified, the default configured server is used.

--spec

[Optional]

Path to a file specifying the files to scan. If the pattern argument is provided to the command, this option should not be provided.

--project

[Optional]

JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

--repo-path

[Optional]

Artifactory repository path in the form of <repository>/<path in the repository>, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

--watches

[Optional]

A comma separated list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

--licenses

[Default: false]

Set if you also require the list of licenses to be displayed.

--format=json

[Optional]

Produces a JSON file containing the scan results. 

Command arguments

Pattern

Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards.

Output Example

Examples

Example 1

Scans all the files located at the path/ti/files/ file-system directory using the watch1 watch defined in Xray. 

jf s "path/to/files/" --watches "watch1"


Example 2
Scans all the files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray.

jf s "path/to/files/" --watches "watch1,watch2"


Example 3

Scans all the zip files located at the path/ti/files/ file-system directory using the watch1 and watch2 Watches defined in Xray. 

jf s "path/to/files/*.zip" --watches "watch1,watch2"


Example 4

Scans all the tgz files located at the path/ti/files/ file-system directory using the policies defined for project-1.

jf s "path/to/files/*.tgz" --project "project-1"


Example 5
Scans all the tgz files located in the
current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.

jf s "*.tgz" --repo-path "libs-local/release-artifacts/"


Example 6
Scans all the tgz files located at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.

jf s "*.tgz"

Scanning Docker Containers on the Local File System

This jf docker scan command scans docker containers located on the local file-system using the docker client and JFrog Xray. The containers doesn't need to be deployed to Artifactory or any other container registry before it can be scanned.

This command requires:

  • Version 3.40.0 or above of Xray
  • Version 2.11.0 or above of JFrog CLI
Command name

docker scan

Abbreviation


Command options

--server-id

[Optional]

Server ID configured using the jfrog c add command. If not specified, the default configured server is used.

--project

[Optional]

JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

--repo-path

[Optional]

Artifactory repository path in the form of <repository>/<path in the repository>, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

--watches

[Optional]

A comma separated list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

--licenses

[Default: false]

Set if you also require the list of licenses to be displayed.

--format=json

[Optional]

Produces a JSON file containing the scan results. 

Command arguments

Pattern

Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards.


Output Example

Examples

Example 1

Scan the local reg1/repo1/img1:1.0.0 container and show all known vulnerabilities, regardless of the policies defined in Xray.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0


Example 2

Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-project JFrog project.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0 --project my-project


Example 3

Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with my-watch Xray Watch.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0 --watches my-watch


Example 4

Scan the local reg1/repo1/img1:1.0.0 container and show all violations according to the policy associated with releases-local/app1/ path in Artifactpry.

$ docker images
REPOSITORY           TAG       IMAGE ID       CREATED         SIZE
reg1/repo1/img1   1.0.0     6446ea57df7b   19 months ago   5.57MB
$ 
$ jf docker scan reg1/repo1/img1:1.0.0 --repo-path releases-local/app1/


Scanning Project Dependencies

The jf audit command allows scanning your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies. The command builds a deep dependencies graph for your project, scans it with Xray, and displays the results. It uses the package manager used by the project to build the dependencies graph. Currently the following package managers are supported.

  • Maven (mvn) - Version 3.1.0 or above of Maven is supported.
  • Gradle (gradle)
  • Npm (npm)
  • Pip (pip)
  • Pipenv (pipenv)
  • Go Modules (go)
  • NuGet (nuget)
  • .NET Core CLI (dotnet)

The command will detect the package manager used by the project automatically. It requires version 3.29.0 or above of Xray and also version 2.13.0 or above of JFrog CLI.

Command name

audit

Abbreviation

aud

Command options

--server-id

[Optional]

Server ID configured using the jfrog c add command. If not specified, the default configured server is used.

--project

[Optional]

JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--repo-path

[Optional]

Artifactory repository path in the form of <repository>/<path in the repository>, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--watches

[Optional]

A comma separated list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

--licenses

[Default: false]

Set if you'd also like the list of licenses to be displayed.

--format

[Default: table]

Defines the output format of the command. Acceptable values are: table and json.

--fail

[Default: true]

Set to false if you do not wish the command to return exit code 3, even if the 'Fail Build' rule is matched by Xray.

--use-wrapper

[Default: false]

Set to true if you'd like to use the Gradle wrapper.

--dep-type

[Default: all]

Defines npm dependencies type. Possible values are: all, devOnly and prodOnly

--exclude-test-deps

[Default: false]

Set to true if you'd like to exclude Gradle test dependencies from Xray scanning.

--go

[Optional]

Request audit for a Go project.

--gradle

[Optional]

Request audit for a Gradle project.

--mvn

[Optional]

Request audit for a Maven project.

--npm

[Optional]

Request audit for a npm project.

--nuge

[Optional]

Request audit for a .Net project.

--pip

[Optional]

Request audit for a Pip project.

--pipenv

[Optional]

Request audit for a Pipenv project.

Command arguments

The command accepts no arguments

Output Example

Examples

Example 1

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray.

jfrog audit

Example 2

Audit the project at the current directory. Show all known vulnerabilities, regardless of the policies defined in Xray. Show only maven and npm vulnerabilities 

jfrog audit --mvn --npm

Example 3

Audit the project at the current directory using a watch named watch1 watch defined in Xray. 

jf audit --watches "watch1"

Example 4

Audit the project at the current directory using watch1 and watch2 defined in Xray. 

jf audit --watches "watch1,watch2"

Example 5

Audit the project at the current directory using the policies defined for project-1.

jf audit --project "project-1"

Example 6

Audit the project at the current directory using the policies defined for the libs-local/release-artifacts/ path in Artifactory.

jf audit --repo-path "libs-local/release-artifacts/"

Scanning Published Builds

JFrog CLI is integrated with JFrog Xray and JFrog Artifactory, allowing you to have your build artifacts and dependencies scanned for vulnerabilities and license violations. This command allows scanning a build, which had already been published to Artifactory using the build-publish command.

Command name

build-scan

Abbreviation
bs
Command options


--server-id

[Optional]

Server ID configured by the jfrog c add command. If not specified, the default configured server is used.

--vuln

[Optional]

Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.

--fail

[Default: true]

When set, the command returns exit code 3 if a 'Fail Build' rule is matched by Xray.
Set to false if you do not wish the command to return exit code 3 in such case, and an exit code 0 will be returned.

--format

[Default: table]

Defines the output format of the command. The accepted values are: table and json.

--project

[Optional]

JFrog project key

Command arguments
The command accepts two arguments.
Build nameBuild name to be scanned.
Build numberBuild number to be scanned.
Example
jf bs my-build-name 18



  • No labels