Have a question? Want to report an issue? Contact JFrog support

Skip to end of metadata
Go to start of metadata

Overview

JFrog Xray is open for integration with any number of issue and vulnerability providers and pre-configured with a number of providers out-of-the-box. In addition, you can connect to additional issue and vulnerability feeds if you have accounts with the corresponding providers. The Integrations screen in the Admin module displays the integrations you have configured and connected to.

To add a new integration, click "Add Integration". The button will be disabled if all integrations currently available in the system have already been configured.

Page Contents

The Add Integration dialog shows all available integrations you can connect to, and provides the option to add a custom integration. Select the provider you wish to connect to from the list of icons displayed, or click the plus sign to add a custom integration. 

To connect to a provider, set the Enabled checkbox and enter the following parameters:

  • The API Key you received from the provider
  • The Test URL you can use to test your API key with the provider using the "Test" button.
  • The URL Xray uses to check if a component it is scanning is registered with the provider. 

Aqua

Aqua Security offers a comprehensive security solution for containerized environments. If you have an account with Aqua, you may enable this feed, enter your Aqua API key, the URL of your on-prem Aqua installation and the test URL.


WhiteSource

WhiteSource offers a security and license management solution for your open source components.  If you have an account with WhiteSource, you may enable this feed and enter your WhiteSource API key, URL and Test URL.


Black Duck

Black Duck offers an enterprise-grade solution to automate the process of securing, managing, and ensuring license compliance for open source software in applications and containers. If you are a Black Duck customer, you may enable this feed by purchasing the standard Hub edition with the security module, enter the provided Black Duck API key, the URL of your Black Duck installation and the test URL to start using Black Duck data within Xray.


Snyk

From Xray version 1.11, Snyk support includes six additional package types to the already supported npm packages, with two levels of Snyk integrations described below.

Snyk helps you use open source dependencies without compromising security. Its Vulnerability database comes pre-bundled with XRay and allows scanning for vulnerabilities in open source dependencies across all major programming languages. JFrog provides two integration levels with Snyk: 

  • Snyk Basic: A subset of Snyk’s Vulnerability database that comes pre-bundled with XRay and allows scanning for vulnerabilities. 
  • Snyk Premium: For even deeper security coverage, upgrade to Snyk Premium to unlock the full Vulnerability DB and get access to automated remediation and security patches. This unique set of vulnerabilities is compiled by the Snyk team and cannot be found in public structured vulnerability databases. To learn more, refer to Upgrading to Snyk Premium.

To connect to a provider, set the following parameters:

  • The Enable Premium account activates the Premium accountTo learn more, refer to Upgrading to Snyk Premium.
  • The API Key is the API token in the Snyk UI, and can be found by clicking the 'My account' link on the top right.
  • The Org Id is your Snyk public Organisation ID. You can find this ID in the Snyk UI, by choosing the Snyk organization you want to integrate with and clicking the 'Settings' tab.

Adding a Custom Integration

In addition to the integrations included out-of-the-box, Xray also allows you to create custom integrations. This gives you the opportunity to add analyses from different providers with whom you may have an account, or even to create your own provider and display information such as performance issues, known defects or any other information offered by your provider.

Custom Provider

To add and connect to a custom provider, set the Enabled checkbox and enter the following parameters:

  • The Vendor name
  • The API Key you received from the provider
  • The URL Xray uses to check if a component it is scanning is registered with the provider. 
  • The Test URL you can use to test your API key with the provider using the "Test" button.
  • The URL to an icon you can optionally display for the vendor
  • A Description for the vendor

 

 

 

 

 

 

 

  • No labels