Overview

JFrog Xray works with JFrog Artifactory to perform universal analysis of binary software components at any stage of the application lifecycle providing radical transparency that leads to trust in your software. By scanning binary components and their metadata, recursively going through dependencies at any level, JFrog Xray provides unprecedented visibility into issues lurking in components anywhere in your organization. Xray’s interface with Artifactory gives it the exclusive advantage of combining any number of data feeds with the exhaustive metadata stored within Artifactory to detect different issues without needing access to source code. JFrog Xray is also fully automated through a rich REST API that lets it integrate with a CI/CD pipeline and allows other binary analysis tools to build on its unique capabilities.

  • Universal 
    In line with JFrog’s universal approach, Xray supports a variety of package types supported by Artifactory. 
     
  • Open for integration 
    While Xray comes with its own database of software components and vulnerabilities out-of-the-box, it is also open to integration with other databases and tools. Using Xray's open API, customers can integrate Xray with their own systems and data feeds.
     
  • Open for different issue types
    Xray is not limited to security vulnerabilities; it can receive any type of information about software component that can help you make decisions. For example, you can provide Xray with information about components that have performance issues or severe defects and the impact that these components have on your software.

  • Deep scanning
    Xray performs a deep scan of artifacts, recursively going through dependencies at any level and creating a graph of relationships between software components. For example, when analyzing a Docker image, if Xray finds that it contains a Java application it will also analyze all the .jar files used in this application.

  • Impact analysis 
    Xray analyzes how an issue in one component affects all others in your company and displays the chain of impact in a component graph.

  • Native integration with Artifactory
    Xray is the only tool that is natively integrated with JFrog Artifactory.

Home Screen

 Once you have installed Xray, to start analyzing your repositories and reveal vulnerabilities in your system, please refer to Configuring Xray.

How Does JFrog Xray Protect You

JFrog Xray is the only product that takes a dual approach to protecting you against issues using a unique combination of:

Deep Recursive Scanning

JFrog Xray recursively scans components in your system, recursively drilling down to analyze even the smallest binary component that affects your software. 

Continuous Impact Analysis

JFrog Xray continuously scans and analyzes existing components, even those long since deployed to production, and provides alerts and notifications for just-discovered vulnerabilities.

Custom API-Driven Automation

Through an open REST API, JFrog Xray lets you define a custom regimen of automated analysis for all components in your system.

How JFrog Xray Analyzes your Artifacts

Xray performs two types of analysis:

Scanning

Xray monitors builds or repositories in Artifactory for policy violations. Each time a monitored build is updated, or an artifact is deployed to a monitored repository, Xray will scan it and its dependencies and trigger a violation if any policy is met.

Impact Analysis

Xray listens to all providers currently streaming feeds regarding issues. If any provider notifies Xray of a new issue with an artifact, Xray looks up the artifact in its database. If the artifact is already in the database, Xray will perform an impact analysis to determine all the artifacts in Artifactory that are ultimately affected by the issue by virtue of their including the problematic artifact. The results are displayed in an impact analysis graph.

The Xray-Artifactory Edge

As a complementary product to JFrog Artifactory, JFrog Xray has access to the wealth of metadata Artifactory stores which, combined with deep recursive scanning, puts Xray in a unique position to analyze the relationships between binary artifacts and provide radical transparency into your component architecture to reveal the impact that a vulnerability in one component has on any other.

PDF Download

The Xray User Guide is available for download in PDF format. Click this link to download the latest version: <a href='https://bintray.com/jfrog/jfrog-docs/Xray-User-Guide/_latestVersion'><img src='https://api.bintray.com/packages/jfrog/jfrog-docs/Xray-User-Guide/images/download.svg'></a>

Note that the online version may be more up-to-date.