This topic describes how to run the JFrog CLI commands as part of Dependency scans as described in Xray Dependencies Scan.
Supported commands in the JFrog CLI: (links to the section in cli)
Auditing an Npm Project: The
audit-npm
command audits an npm project, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.Auditing Maven Projects: The
audit-mvn
command audits Maven projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.Auditing Gradle Projects: The
audit-gradle
command audits Gradle projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.Auditing Pip Projects: The The
audit-pip
command audits Pip projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.Auditing Go Projects: The
audit-go
command audits Go projects, by generating a dependency tree for the sources, and scans it with Xray. The command should be executed while inside the root directory of the project.
Run the scan command with the relevant command options. You can view scan results for the following:
Vulnerabilities
Violations
Licenses
By default, the scan returns vulnerabilities data found in your dependencies. To retrieve violations data, use one of the following methods:
Watches - Select Watches to apply to the scan.
Repo Path- Provide a target destination path in Artifactory, and Watches will be determined by the path.
Project- Select a Project by project key, and use all Watches defined for the Project.
Take note, that if you run the scan using one of these command options, the scan results will only show violations data and not vulnerabilities data. To view vulnerabilities data, run the scan without these options.