JFrog Code Security Insights in GitHub Advanced Security

JFrog and GitHub Integration Guide

ft:sourceType
Paligo

Prevents risky code changes before merging into your GitHub repository.

Who can use this feature?

JFrog Code Security Insights in GitHub Advanced Security is available to Enterprise/Enterprise+ customers with JFrog Advanced Security only. For a complete feature comparison by subscription type, refer to the JFrog and GitHub Integration Features Matrix.

When developers push code to GitHub, it triggers a build process. The integration scans every code change and displays the results as comments in the Pull Request or in the GitHub Advanced Security Dashboard for branch commits. JFrog Advanced Security performs SAST, contextual analysis, and secrets scanning.JFrog Advanced SecurityVulnerability Contextual AnalysisSecrets Scans

Product

Security Area

Description

XrayJFrog Xray

Software Composition AnalysisSoftware Composition Analysis

Scans Your Project Dependencies for Security Issues

  • Enhanced CVE Data: For selected security issues, receive detailed CVE information from the JFrog Security Research team.

  • Comprehensive Vulnerabilities Database: Frogbot leverages JFrog's extensive and continuously updated vulnerabilities database to identify and address component vulnerabilities effectively.

Validate Dependency LicensesXray Dependencies Scan

Ensures that the licenses for your project's dependencies align with a predefined list of approved licenses.

JFrog Advanced SecurityJFrog Advanced Security

Static Application Security Testing (SAST)

Utilizes fast and accurate security engines to detect zero-day vulnerabilities in sensitive source code operations while minimizing false positives.

CVE Vulnerability Contextual AnalysisVulnerability Contextual Analysis

Utilizes code context to filter out false positives for irrelevant, vulnerable dependencies. For applicable CVEs, Frogbot comments directly on the relevant code lines in pull requests, providing detailed descriptions of the security issues. Currently, Vulnerability Contextual Analysis supports Python, JavaScript, and Java code.

Secrets DetectionSecrets Scans

Identifies and prevents accidental leaks of internal tokens or credentials by detecting any secrets left exposed in the code.

Infrastructure as Code scans (IaC)Exposures Scans

Scans Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations.

What does it do?

JFrog's Code Security Insights in GitHub Advanced Security proactively secure your code using Frogbot with JFrog Xray and JFrog Advanced Security. Findings are displayed in GitHub's Advanced Security code scanning section.JFrog XrayJFrog Advanced Security

Frogbot scans your source code for security vulnerabilities during branch commits or pull requests. It checks for SCA issues (vulnerable dependencies, malicious packages, license violations) and JFrog Advanced Security issues (SAST, contextual analysis, secrets, IaC), presenting the results in GitHub.

  • Branch Commits: Results are displayed in the GitHub Advanced Security Dashboard under the Code Scanning section and in JFrog Xray under Scan ListView Xray Scans ListGit Repositories (SaaS only).

  • Pull Requests: Findings appear as comments directly within the Pull Request.

Why is it important?

  • Developers

    • Faster Remediation: Enables early detection and quicker resolution of vulnerabilities.

    • Improved Code Quality: Proactively manages vulnerabilities to enhance overall code quality.

  • Security

    • Early Detection: Identifies risks during pull requests.

    • Comprehensive Coverage: Provides consistent security oversight throughout the development lifecycle.

    • Enhanced Visibility: JFrog Advanced Security findings are integrated into GitHub dashboards for better visibility.

    • Automated Code Reviews: Frogbot integration improves GitHub-managed code scanning by providing automated code reviews for pull requests. This ensures that only authorized, secure code changes can merge into your repository.

    • Repository Security: Frogbot offers scanning and fixing functionalities that detect and alert you to exposed secrets, malware, or vulnerabilities within your codebase. It provides proactive resolution of issues, simplifying the process of maintaining security and integrity in your repository.

    • JFrog Advanced Security Findings: Includes Software Composition Analysis (SCA) issues (for example, vulnerable dependencies, malicious packages, license and operational risks) and JFrog Advanced Security issues (For example, Static Application Security Testing (SAST).