Installation and Setup
To install and work with the plugin:
- Install the JFrog plugin, using one of these options:
- Configure the plugin to connect to your JFrog Platform.
- Scan and view the results.
- Filter Xray Scanned Results.
- IntelliJ IDEA version 2016.2 and above.
- JFrog Xray version 126.96.36.199 and above.
Installing from the IntelliJ Plugin Repository
- Under Settings (Preferences) | Plugins, click Browse repositories and search for JFrog.
- Once the plugin is found, click Install JetBrains Plugin.
Installing the Plugin from Disk
- See the procedure on how to build the plugin from sources in GitHub.
- Under Settings (Preferences) | Plugins, click Install plugin from disk...
- Select the plugin file and click OK.
Connecting the Plugin to Your JFrog Platform Instance
Once the plugin is successfully installed, connect the plugin to your instance of the JFrog Platform.
- If your JFrog Platform instance is behind an HTTP proxy, configure the proxy settings as described here. Manual proxy configuration is supported since version 1.3.0 of the JFrog IDEA Plugin. Auto-detect proxy settings is supported since version 1.7.0.
- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
- Set your JFrog Platform URL and login credentials.
- As you can see in the below image, you also have the option of storing the connection details in environment variables, which should be set before starting up the IDE.
- Test your connection to Xray using the Test Connection button.
Self-signed Xray domain
If your JFrog Platform instance uses a domain with a self-signed certificate, add the certificate to IDEA as described here.
Using the Plugin - General
After the JFrog Plugin is installed, a new JFrog panel is added at the bottom of the screen. Opening the JFrog panel displays two views - Local and CI.
- The Local view displays information about the local code as it is being developed in IDEA. JFrog Xray continuously scans the project's dependencies locally, and the information is displayed in the Local view.
- The CI view allows the tracking of the code as it is built, tested and scanned by the CI server. It displays information about the status of the build and includes a link to the build log on the CI server.
The Local View
The JFrog Plugin continuously scans your project's dependencies with JFrog Xray and displays this information under the Local View. The plugin currently supports Xray scanning of Maven, Gradle, Go and npm projects. It allows developers to view vulnerability information about the components and their dependencies. With this information, a developer can make an informed decision on whether to use a component or not before the code is pushed into the source control.
The view allows you to filter the scanned results according to the issues severity, licenses or dependencies' scopes.
From JFrog Xray version 1.9 to version 2.x, IntelliJ IDEA users connecting to Xray from IntelliJ are required to be granted the ‘View Components’ action in Xray.
From JFrog Xray version 3.x, as part of the JFrog Platform, IntelliJ IDEA users connecting to Xray from IntelliJ require ‘Read’ permission. For more information, see Permissions.
Scanning and Viewing the Results
JFrog Xray automatically performs a scan whenever there is a change in the dependencies in the project.
Scanning Python Projects
To manually invoke a scan:
- Click Refresh in the JFrog plugin.
- View the scanned results in the plugin.
When hovering above a dependency in the editor, the information about it is displayed.
You can navigate from the editor to the dependency tree
You can right-click on a dependency in the tree view and choose Show in project descriptor.
In Maven projects, you also have the option of excluding a transitive dependency from the
pom.xml, by right-clicking on the dependency in the tree and selecting Exclude dependency.
Scanning Python Projects
The CI View
The JFrog IDEA Plugin allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used.
This information can be viewed inside IntelliJ IDEA, from the JFrog Panel, under the CI tab.
The following details can be made available in the CI view.
- Status of the build run (passed or failed)
- Build run start time
- Git branch and latest commit message
- Link to the CI run log
- Security information about the build artifacts and dependencies
How Does It Work?
The CI information displayed in IDEA is pulled by the JFrog IDEA Plugin directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog IDEA Plugin will pull the results of the scan from JFrog Xray and display them in the CI view as well.
Setting Up CI Integration
Set up your CI pipeline to expose information, so that it is visible in IDEA as described here.
Next, follow these steps.
- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration. configure the JFrog Platform URL and the user you created.
- Under Settings (Preferences) | Other Settings, click JFrog CI Integration. Set your CI build name in the Build name pattern field. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory.
- Click Apply and open the CI tab under the JFrog panel at the bottom of the screen and click the Refresh button.
The release notes are available here.
The JFrog Plugin uses the IntelliJ IDEA log files. By default, the log level used used by the plugin is INFO.
You have the option of increasing the log level to DEBUG. Here's how you do this:
- Go to Help | Diagnostic Tools | Debug Log Settings...
- Inside the Custom Debug Log Configuration window add the following line:
To see the Intellij IDEA log file, depends on the IDE version and OS as described here, go to Help | Show/reveal Log in Explorer/finder/Konqueror/Nautilus.
Please report issues by opening an issue on Github.