Installation and Setup
To install and work with the plugin:
- Install the JFrog plugin, using one of these options:
- Configure the plugin to connect to JFrog Xray.
- Scan and view the results.
- Filter Xray Scanned Results.
- IntelliJ IDEA version 2016.2 and above.
- JFrog Xray version 188.8.131.52 and above.
Installing from the IntelliJ Plugin Repository
- Under Settings (Preferences) | Plugins, click Browse repositories and search for JFrog.
- Once the plugin is found, click Install JetBrains Plugin.
Installing Plugin from Disk
- See the procedure on how to build the plugin from sources in GitHub.
- Under Settings (Preferences) | Plugins, click Install plugin from disk...
- Select the plugin file and click OK.
Connecting the Plugin to Your JFrog Platform Instance
Once the plugin is successfully installed, connect the plugin to your instance of the JFrog Platform.
- If your JFrog Platform instance is behind an HTTP proxy, configure the proxy settings as described here. Manual proxy configuration is supported since version 1.3.0 of the JFrog IDEA Plugin. Auto-detect proxy settings is supported since version 1.7.0.
- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
- Set your JFrog Platform URL and login credentials.
- As you can see in the below image, you also have the option of storing the connection details in environment variables, which should be set before starting up the IDE.
- Test your connection to Xray using the Test Connection button.
Self-signed Xray domain
If your JFrog Platform instance uses a domain with a self-signed certificate, add the certificate to IDEA as described here.
Using the Plugin - General
After the JFrog Plugin is installed, a new JFrog panel is added at the bottom of the screen. Opening the JFrog panel displays two views - Local and CI.
- The Local view displays information about the local code as it is being developed in IDEA. JFrog Xray continuously scans the project's dependencies locally, and the information is displayed in the Local view.
- The CI view allows the tracking of the code as it is built, tested and scanned by the CI server. It displays information about the status of the build and includes a link to the build log on the CI server.
The Local View
The JFrog Plugin continuously scans your project's dependencies with JFrog Xray and displays this information under the Local View. The plugin currently supports Xray scanning of Maven, Gradle, Go and npm projects. It allows developers to view vulnerability information about the components and their dependencies. With this information, a developer can make an informed decision on whether to use a component or not before the code is pushed into the source control.
The view allows you to filter the scanned results according to the issues severity, licenses or dependencies' scopes.
From JFrog Xray version 1.9 to version 2.x, IntelliJ IDEA users connecting to Xray from IntelliJ are required to be granted the ‘View Components’ action in Xray.
From JFrog Xray version 3.x, as part of the JFrog Platform, IntelliJ IDEA users connecting to Xray from IntelliJ require ‘Read’ permission. For more information, see Permissions.
Scanning and Viewing the Results
JFrog Xray automatically performs a scan whenever there is a change in the dependencies in the project.
To manually invoke a scan:
- Click Refresh in the JFrog plugin.
- View the scanned results in the plugin.
When hovering above a dependency in the editor, the information about it is displayed.
You can navigate from the editor to the dependency tree
You can right-click on a dependency in the tree view and choose Show in project descriptor.
In Maven projects, you also have the option of excluding a transitive dependency from the
pom.xml, by right-clicking on the dependency in the tree and selecting Exclude dependency.
The CI View
The JFrog IDEA Plugin allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used.
This information can be viewed inside IntelliJ IDEA, from the JFrog Panel, under the CI tab.
The following details can be made available in the CI view.
- Status of the build run (passed or failed)
- Build run start time
- Git branch and latest commit message
- Link to the CI run log
- Security information about the build artifacts and dependencies
How Does It Work?
The CI information displayed in IDEA is pulled by the JFrog IDEA Plugin directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog IDEA Plugin will pull the results of the scan from JFrog Xray and display them in the CI view as well.
Setting up CI integration
Setting up CI integration for IDEA requires the following steps.
- Configuring the CI pipeline to record and publish build-info to JFrog Artifactory
- Creating a JFrog Platform user to be set in IDEA
- Configuring IDEA to display the CI information
Step 1 - Configuring Your CI Pipeline to record and publish build-info to JFrog Artifactory
To set up your CI to expose the information to IDEA, you need to include the following as part of your pipeline script.
Download JFrog CLI, so that it can be used in the pipeline:
Set the following environment variables with the build name and build run number.
Set the following environment variable, with the URL to the pipeline log on the CI.
If needed, configure JFrog CLI using the following command.
If needed, configure the repositories for your project. For example, if your code is built using maven, run:
Run the command that builds your code using JFrog CLI. For example, if your code is built using maven, run:
Set the following environment variable, to indicate that the build finished successfully.
Make sure to set the environment variable's value to FAIL, to indicate a failure of the CI pipeline.
Record the environment variables and the project's git information as part of the build-info and then, publish the build-info to Artifactory. Make sure your pipeline always executes these commands, even in the case of a failure.
Optionally scan the published build with JFrog Xray by running
JFrog Pipelines Example
GitHub Actions Example
This example uses the setup-jfrog-cli GitHub Action, which already sets the JFROG_CLI_BUILD_NAME, JFROG_CLI_BUILD_NUMBER and JFROG_CLI_BUILD_URL behind the scenes.
Step 2 - Creating a JFrog Platform user to be set in IDEA
Follow these steps to create a JFrog Platform user for IntelliJ IDEA. The user will have limited permissions, which only allows viewing the CI information inside IDEA.
Make sure JFrog CLI is installed on your local machine by running
If it is not installed, install it.
Run the following command to create a Users Group in the JFrog Platform. We'll use the name ide-developers for the Group. Feel free to choose a different name.
Run the following commands to create a Permission in the JFrog Platform. We'll use the name ide-developers-perm for the Permission. Feel free to choose a different name. Notice that the Group name we created is also included in the following commands.
Create the JFrog Platform user by running the following command, after replacing the <username>, <password> and <email> tokens. Notice that the Group name we created is also included in the following command.
Step 3 - Now that your CI pipeline records and publishes the build-info to Artifactory, you can configure IntelliJ IDEA to display the CI information, Follow these steps to configure IDEA.
- Under Settings (Preferences) | Other Settings, click JFrog Global Configuration. configure the JFrog Platform URL and the user you created.
- Under Settings (Preferences) | Other Settings, click JFrog CI Integration. Set your CI build name in the Build name pattern field. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory.
- Click Apply and open the CI tab under the JFrog panel at the bottom of the screen and click the Refresh button.
The release notes are available here.
The JFrog Plugin uses the IntelliJ IDEA log files. By default, the log level used used by the plugin is INFO.
You have the option of increasing the log level to DEBUG. Here's how you do this:
- Go to Help | Diagnostic Tools | Debug Log Settings...
- Inside the Custom Debug Log Configuration window add the following line:
To see the Intellij IDEA log file, depends on the IDE version and OS as described here, go to Help | Show/reveal Log in Explorer/finder/Konqueror/Nautilus.
Please report issues by opening an issue on Github.
Watch the Screencast
Watch this screencast to learn how the JFrog IntelliJ IDEA plugin adds JFrog Xray scanning of Maven project dependencies to your IntelliJ IDEA.