JFrog and GitHub Integration FAQs

JFrog and GitHub Integration Guide

ft:sourceType
Paligo
  1. Does the Frogbot GitHub Advanced Security integration work with on-prem versions of GitHub and Artifactory?

    The integration supports JFrog and GitHub’s SaaS/managed offerings and self-hosted versions.

  2. Is GitHub Advanced Security required for the JFrog and GitHub integration?

    GitHub Advanced Security is not required to benefit from the integration. If enabled, it allows consolidation of security results from JFrog into GitHub Advanced Security for a unified view.

  3. What’s the difference between using Frogbot and the JFrog Xray CLI?

    Frogbot is used for repo scanning, pull request scans, and other GitHub native functions. The JFrog CLI allows integration of Xray and JFrog Advanced Security features into your build process and SDLC.

  4. Will GitHub’s UI be enhanced to display Artifactory packages?

    The GitHub UI now includes a "JFrog Summary" for builds, showing links to binaries, build locations, and vulnerability information.

  5. Are specific JFrog products required to benefit from the integration?

    For optimal benefits, using JFrog throughout your CI/CD process is recommended. Any tier with Xray can be used for GitHub Actions integration, but advanced features require EnterpriseX or higher.

  6. Can SBOM data be exported or searched?

    SBOMs stored in the JFrog Platform can be exported in CycloneDX or SPDX formats, available in JSON, XML, or PDF.

  7. How does SSO work for GitHub EMU customers?

    The SSO integration is consistent for both self-hosted and hosted GitHub solutions.

  8. Does the integrated code scanning solution use GitHub Advanced Security’s SARIF ingestion, and is GitHub Advanced Security required?

    The GitHub Advanced Security add-on is not required, but if enabled, it allows consolidating JFrog security results into GitHub Advanced Security for a comprehensive view.

  9. Will the integration replace GitHub Packages, and what are the advantages?

    GitHub Packages can still be used, but Artifactory is the preferred method for package management, providing industry-standard features and enhancing your software supply chain security.

  10. Can an OIDC connection setup be used to obtain a temporary username/password for tools like Maven, npm, and Docker?

    The OIDC setup provides a short-lived token usable in GitHub Actions and with JFrog CLI.

  11. Do you need a GitHub Advanced Security license to use JFrog SAST and SCA? Will JFrog scan results appear in GitHub’s code scanning section?

    JFrog scan results are available in GitHub’s security tab. A GitHub Advanced Security license is not required for JFrog SAST and SCA, but consulting with JFrog for optimal integration is recommended.