JFrog Xray

JFrog Xray

Category: SCA
License: Commercial (Pro X, Enterprise X, or Enterprise+ subscription)
Visit Website →

JFrog Xray is a universal software composition analysis tool that scans binaries and their dependencies to identify security vulnerabilities and license compliance issues.

As part of the JFrog Platform, Xray integrates tightly with Artifactory to provide security analysis at every stage of the software supply chain, from development through production deployment.

What is JFrog Xray?

JFrog Xray performs deep recursive scanning of all artifacts stored in JFrog Artifactory, analyzing not just the direct components but the entire dependency tree.

This approach catches vulnerabilities that hide in transitive dependencies, which often escape detection by tools that only examine direct dependencies.

The platform supports virtually any package type, including Docker images, npm packages, Maven artifacts, Python wheels, NuGet packages, Go modules, and many others.

Xray matches components against vulnerability databases including the National Vulnerability Database (NVD), VulnDB, and JFrog’s own security research to identify known CVEs and security issues.

What sets Xray apart is its integration with binary management.

Rather than scanning source code, Xray examines the actual artifacts that get deployed to production, ensuring that what you test is exactly what you ship.

Key Features

Deep Recursive Scanning

Xray analyzes the complete dependency graph of every artifact, recursively scanning all layers and dependencies.

For a Docker image, this means examining the base image, every layer added during the build, and all packages installed at each stage.

For a Java application, Xray traces through nested JAR files and their transitive dependencies.

This recursive analysis reveals vulnerabilities that surface-level scanning misses.

A common scenario involves a direct dependency that itself depends on a vulnerable library.

Without recursive scanning, this vulnerability remains hidden until exploitation.

Impact Analysis

When a new vulnerability is disclosed, security teams need to quickly understand their exposure.

Xray’s impact analysis shows every artifact affected by a specific CVE, along with all the builds, releases, and deployments that depend on those artifacts.

This capability transforms incident response from a manual search through build logs into an instant query that reveals your complete exposure across the entire artifact repository.

Policy-Based Security Gates

Xray uses configurable policies to enforce security standards automatically.

Policies can specify rules based on:

  • CVE severity thresholds (e.g., block any artifact with critical vulnerabilities)
  • Specific CVE IDs (e.g., always block Log4Shell regardless of remediation status)
  • License types (e.g., prohibit GPL-licensed components in commercial products)
  • CVSS scores with customizable thresholds
  • Component age and maintenance status

When an artifact violates a policy, Xray can block downloads, fail builds, trigger alerts, or take custom actions through webhooks.

License Compliance

Beyond security vulnerabilities, Xray identifies the licenses of all components in your software.

This helps legal and compliance teams understand the licensing obligations that come with open-source dependencies, preventing accidental inclusion of components with incompatible licenses.

Installation

JFrog Xray runs as part of the JFrog Platform and requires JFrog Artifactory.

Deployment options include:

Cloud (JFrog SaaS)

The fastest path to getting started.

JFrog manages infrastructure, updates, and scaling.

# No installation required - configure via UI or API
# Access at https://your-instance.jfrog.io

Self-Hosted (Docker)

# Pull the Xray Docker images
docker pull releases-docker.jfrog.io/jfrog/xray-server:latest
docker pull releases-docker.jfrog.io/jfrog/xray-indexer:latest
docker pull releases-docker.jfrog.io/jfrog/xray-analysis:latest
docker pull releases-docker.jfrog.io/jfrog/xray-persist:latest

# Run using Docker Compose (recommended)
# Download docker-compose.yaml from JFrog documentation
docker-compose -f docker-compose.yaml up -d

Helm (Kubernetes)

# Add JFrog Helm repository
helm repo add jfrog https://charts.jfrog.io
helm repo update

# Install Xray (requires existing Artifactory)
helm upgrade --install xray jfrog/xray \
  --namespace jfrog \
  --set xray.joinKey=<your-join-key> \
  --set xray.jfrogUrl=https://artifactory.example.com

Integration

GitHub Actions

name: Build and Scan
on: [push, pull_request]

jobs:
  build-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup JFrog CLI
        uses: jfrog/setup-jfrog-cli@v4
        with:
          version: latest
        env:
          JF_URL: ${{ secrets.JF_URL }}
          JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}

      - name: Build and publish
        run: |
          jf rt build-add-dependencies my-build 1 "target/*.jar"
          jf rt upload "target/*.jar" libs-release-local/
          jf rt build-publish my-build 1

      - name: Scan for vulnerabilities
        run: |
          jf audit --watches "prod-security-policy"

      - name: Scan Docker image
        run: |
          jf docker scan myapp:${{ github.sha }}

GitLab CI

stages:
  - build
  - scan
  - deploy

variables:
  JFROG_CLI_BUILD_NAME: "my-app"
  JFROG_CLI_BUILD_NUMBER: "$CI_PIPELINE_ID"

scan:
  stage: scan
  image: releases-docker.jfrog.io/jfrog/jfrog-cli-v2:latest
  script:
    - jfrog config add --url=$JF_URL --access-token=$JF_ACCESS_TOKEN
    - jfrog rt download "libs-snapshot-local/*.jar" ./target/
    - jfrog audit --fail=true --min-severity=High
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Jenkins Pipeline

pipeline {
    agent any

    stages {
        stage('Build') {
            steps {
                rtServer (
                    id: "ARTIFACTORY_SERVER",
                    url: "${ARTIFACTORY_URL}",
                    credentialsId: "artifactory-credentials"
                )
                rtMavenDeployer (
                    id: "MAVEN_DEPLOYER",
                    serverId: "ARTIFACTORY_SERVER",
                    releaseRepo: "libs-release-local",
                    snapshotRepo: "libs-snapshot-local"
                )
                rtMavenRun (
                    pom: 'pom.xml',
                    goals: 'clean install',
                    deployerId: "MAVEN_DEPLOYER"
                )
            }
        }

        stage('Xray Scan') {
            steps {
                xrayScan (
                    serverId: "ARTIFACTORY_SERVER",
                    buildName: "${JOB_NAME}",
                    buildNumber: "${BUILD_NUMBER}",
                    failBuild: true
                )
            }
        }
    }
}

When to Use JFrog Xray

JFrog Xray is the right choice when:

  • You already use JFrog Artifactory for binary management and want seamlessly integrated security scanning
  • You need to scan compiled artifacts rather than source code, ensuring you test what actually gets deployed
  • Your organization handles diverse package types across multiple languages and platforms
  • You require policy enforcement at the artifact repository level to prevent vulnerable components from being downloaded
  • Compliance demands complete visibility into your software supply chain with audit trails

Consider alternatives if you need pure source-code analysis (SAST), if you do not use Artifactory, or if your budget cannot accommodate commercial licensing.

For teams not already invested in the JFrog ecosystem, tools like Snyk, Dependabot, or OWASP Dependency-Check may provide a faster path to SCA coverage.

Other SCA Tools

Arnica
Arnica

Pipelineless SCA with Package Reputation

Black Duck
Black Duck

SBOM & License Compliance

CAST Highlight
CAST Highlight

Chrome Extension, SBOM Export

Checkmarx SCA
Checkmarx SCA

Three-Pronged Analysis

See all SCA tools