Installation and Setup

To install and work with the plugin, follow these steps.

1. Install the JFrog plugin, using one of these options:
   
   • IntelliJ plugin repository.
   • Build from sources. 
2. Need a FREE JFrog environment in the cloud? Create one now and connect IDEA to it.
3. Already have a working JFrog environment?  Connect IDEA to it
4. Scan and view the results.
5. Filter Xray Scanned Results.

Installing from the IntelliJ Plugin Repository

1. Under Settings (Preferences) | Plugins, click on the Marketplace tab and search for JFrog.
2. Once the plugin is found, click Install.
   

Installing the Plugin from Disk

1. See the procedure on how to build the plugin from sources in GitHub.
2. Under Settings (Preferences) | Plugins, click and choose Install Plugin from Disk...
   
3. Select the plugin file and click OK.
   

Set Up a FREE JFrog Environment in the Cloud

Need a FREE JFrog environment in the cloud, so that IDEA can connect to it? Just run one of the following commands in your terminal. The commands will do the following.

1. Install JFrog CLI on your machine.
2. Create a FREE JFrog environment in the cloud for you.
3. Configure IntelliJ IDEA to connect to your new environment.

curl -fL https://getcli.jfrog.io?setup | sh

powershell "Start-Process -Wait -Verb RunAs powershell '-NoProfile iwr https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/[RELEASE]/jfrog-cli-windows-amd64/jf.exe -OutFile $env:SYSTEMROOT\system32\jf.exe'"; jf setup

Connecting the Plugin to Your JFrog Environment

Once the plugin is successfully installed, connect the plugin to your instance of the JFrog Platform.

1. If your JFrog Platform instance is behind an HTTP proxy, configure the proxy settings as described here. Manual proxy configuration is supported since version 1.3.0 of the JFrog IDEA Plugin. Auto-detect proxy settings is supported since version 1.7.0.
2. Under Settings (Preferences) | Other Settings, click JFrog Global Configuration.
3. Set your JFrog Platform URL and login credentials.
4. As you can see in the below image, you also have the option of storing the connection details in environment variables, which should be set before starting up the IDE. 
5. Test your connection to Xray using the Test Connection button.

Using the Plugin - General

After the JFrog Plugin is installed, a new JFrog panel is added at the bottom of the screen. Opening the JFrog panel displays two views - Local and CI. 

• The Local view displays information about the local code as it is being developed in IDEA. JFrog Xray continuously scans the project's dependencies locally, and the information is displayed in the Local view. 
• The CI view allows the tracking of the code as it is built, tested and scanned by the CI server. It displays information about the status of the build and includes a link to the build log on the CI server.

The Local View

General

The JFrog Plugin continuously scans your project's dependencies with JFrog Xray and displays this information under the Local View. The plugin currently supports Xray scanning of Maven, Gradle, Go and npm projects. It allows developers to view vulnerability information about the components and their dependencies. With this information, a developer can make an informed decision on whether to use a component or not before the code is pushed into the source control.

The view allows you to filter the scanned results according to the issues severity, licenses or dependencies' scopes.

When clicking on a vulnerability on the middle pane, the More Info page is updated with information about the vulnerability.

You can export all the data from the UI into a CSV file by clicking on the Export button.

The editor provides a quick view of the status of all the project dependencies. Clicking on the icon next to a dependency, will highlight the dependency in the tree view inside the JFrog panel.

When hovering above a dependency in the editor, the information about it is displayed.

You can right-click on a dependency in the tree view and choose Show in project descriptor. In Maven projects, you also have the option of excluding a transitive dependency from the pom.xml, by right-clicking on the dependency in the tree and selecting Exclude dependency.

If you configured IDEA to show vulnerabilities according to a JFrog Project or Watches, you have the option of cresting Ignore Rules for specific vulnerabilities.

Applying Your Xray Policies

To configure IntelliJ IDEA to reflect the Security Policies required by your organization, follow these steps.

1. Create a JFrog Project, or obtain the relevant JFrog Project key
2. Create a Policy on JFrog Xray
3. Create a Watch on JFrog Xray and assign your Policy and Project as resources to it
4. Configure your Project key in IDEA under Settings (Preferences) | Other Settings | JFrog Global Configuration

The CI View

Overview

The JFrog IDEA Plugin allows you to view information about your builds directly from your CI system. This allows developers to keep track of the status of their code, while it is being built, tested and scanned as part of the CI pipeline, regardless of the CI provider used.

This information can be viewed inside IntelliJ IDEA, from the JFrog Panel, under the CI tab.

The following details can be made available in the CI view.

• Status of the build run (passed or failed)
• Build run start time
• Git branch and latest commit message
• Link to the CI run log
• Security information about the build artifacts and dependencies

How Does It Work?

The CI information displayed in IDEA is pulled by the JFrog IDEA Plugin directly from JFrog Artifactory. This information is stored in Artifactory as part of the build-info, which is published to Artifactory by the CI server. Read more about build-info in the Build Integration documentation page. If the CI pipeline is also configured to scan the build-info by JFrog Xray, the JFrog IDEA Plugin will pull the results of the scan from JFrog Xray and display them in the CI view as well.

Setting Up CI Integration

Set up your CI pipeline to expose information, so that it is visible in IDEA as described here.

Next, follow these steps.

1. Under Settings (Preferences) | Other Settings, click JFrog Global Configuration. configure the JFrog Platform URL and the user you created.
2. Under Settings (Preferences) | Other Settings, click JFrog CI Integration. Set your CI build name in the Build name pattern field. This is the name of the build published to Artifactory by your CI pipeline. You have the option of setting * to view all the builds published to Artifactory.
   
3. Click Apply and open the CI tab under the JFrog panel at the bottom of the screen and click the Refresh button.

Release Notes

The release notes are available here.

Troubleshooting

The JFrog Plugin uses the IntelliJ IDEA log files. By default, the log level used used by the plugin is INFO.

You have the option of increasing the log level to DEBUG. Here's how you do this:

1. Go to Help | Diagnostic Tools | Debug Log Settings...
2. Inside the Custom Debug Log Configuration window add the following line:

#com.jfrog.ide.idea.log.Logger

To see the Intellij IDEA log file, depends on the IDE version and OS as described here, go to Help | Show/reveal Log in Explorer/finder/Konqueror/Nautilus.

Reporting Issues

Please report issues by opening an issue on Github.

Watch the Screencast

<iframe width="560" height="315" src="https://www.youtube.com/embed/Ca23EteyPeg" title="JFrog IntelliJ IDE Plugin: Security Right from the Developer IDE" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>