View Exposure Scan Statuses and Results

JFrog Security Documentation

JFrog Xray
Content Type
User Guide

Once an artifact is indexed, Xray will validate if the artifact contains any security issues in any of the categories you have enabled for scanning.

To view scan results, go to Application | Xray | Scans List.

  1. Select the resource type Repositories. Note that, in this version, the new scan categories are only supported for Repositories.

  2. Select the resource from the list.

    Each scan contains an overview of the results such as how many vulnerabilities were found, the scan status, and so on. It is important to note that each category has a set of scanners that will search for specific issues. To provide you with full visibility as to what Xray scanned for, the results will show all scanners including items that were scanned and are OK.

  3. Select the scan you want to view.

    The scan results are displayed under Security Issues.

  4. Select the issue to view more details. Each issue contains the following information:



    JFrog Severity Badge

    The severity of the issue that was determined by the JFrog Security Research Team:

    • Critical

    • High

    • Medium

    • Low


    There are two possible statues:

    • To Fix: An issue that was found and should be fixed

    • OK: An issue Xray scanned for and verified is okay (i.e., no security issues were found)


    Issue identifier


    The Common Weakness Enumeration (CWE) identifier for the weakness type this issue is associated with.

    Fix Cost

    Estimate for the effort involved in fixing the suggested resolution:

    • High effort: Substantial effort is required from the software developer. Examples include building code from source and applying broad configuration changes.

    • Medium effort:A medium-level action is required from the software developer. Examples include making changes to existing configurations.

    • Low effort:Minimal effort is required from the software developer. Examples include removing a file, and making minor changes to existing configurations


    Provides information on the issue in terms of exactly what and where was found, the security impact of the issue, and what needs to be done to fix it.


    Possible consequences of an attack utilizing this issue.