Prevents risky code changes before merging into your GitHub repository.
Who can use this feature?
JFrog Code Security Insights in GitHub Advanced Security is available to Enterprise/Enterprise+ customers with JFrog Advanced Security only. For a complete feature comparison by subscription type, refer to the JFrog and GitHub Integration Features Matrix.
When developers push code to GitHub, it triggers a build process. The integration scans every code change and displays the results as comments in the Pull Request or in the GitHub Advanced Security Dashboard for branch commits. JFrog Advanced Security performs SAST, contextual analysis, and secrets scanning.
Product | Security Area | Description |
---|---|---|
Scans Your Project Dependencies for Security Issues
| ||
Ensures that the licenses for your project's dependencies align with a predefined list of approved licenses. | ||
Utilizes fast and accurate security engines to detect zero-day vulnerabilities in sensitive source code operations while minimizing false positives. | ||
Utilizes code context to filter out false positives for irrelevant, vulnerable dependencies. For applicable CVEs, Frogbot comments directly on the relevant code lines in pull requests, providing detailed descriptions of the security issues. Currently, Vulnerability Contextual Analysis supports Python, JavaScript, and Java code. | ||
Identifies and prevents accidental leaks of internal tokens or credentials by detecting any secrets left exposed in the code. | ||
Scans Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations. |
What does it do?
JFrog's Code Security Insights in GitHub Advanced Security proactively secure your code using Frogbot with JFrog Xray and JFrog Advanced Security. Findings are displayed in GitHub's Advanced Security code scanning section.
Frogbot scans your source code for security vulnerabilities during branch commits or pull requests. It checks for SCA issues (vulnerable dependencies, malicious packages, license violations) and JFrog Advanced Security issues (SAST, contextual analysis, secrets, IaC), presenting the results in GitHub.
Branch Commits: Results are displayed in the GitHub Advanced Security Dashboard under the Code Scanning section and in JFrog Xray under Scan List → Git Repositories (SaaS only).
Pull Requests: Findings appear as comments directly within the Pull Request.
Why is it important?
Developers
Faster Remediation: Enables early detection and quicker resolution of vulnerabilities.
Improved Code Quality: Proactively manages vulnerabilities to enhance overall code quality.
Security
Early Detection: Identifies risks during pull requests.
Comprehensive Coverage: Provides consistent security oversight throughout the development lifecycle.
Enhanced Visibility: JFrog Advanced Security findings are integrated into GitHub dashboards for better visibility.
Automated Code Reviews: Frogbot integration improves GitHub-managed code scanning by providing automated code reviews for pull requests. This ensures that only authorized, secure code changes can merge into your repository.
Repository Security: Frogbot offers scanning and fixing functionalities that detect and alert you to exposed secrets, malware, or vulnerabilities within your codebase. It provides proactive resolution of issues, simplifying the process of maintaining security and integrity in your repository.
JFrog Advanced Security Findings: Includes Software Composition Analysis (SCA) issues (for example, vulnerable dependencies, malicious packages, license and operational risks) and JFrog Advanced Security issues (For example, Static Application Security Testing (SAST).