JFrog Xray

Search for the CVE ID in the Xray dashboard.

View the 'Impact Analysis' graph to identify all affected binaries.

Use the 'Component Search' to find all production builds containing the library.

Trigger an automated build block on any new artifacts containing the CVE.

Define an Xray Policy that triggers a 'Fail' action for 'GPL' or 'Copyleft' licenses.

Apply the policy to the production release repository.

Run an Xray scan on the release candidate.

Generate a License Report to prove compliance to the legal department.

Developer installs the JFrog IDE extension.

Xray scans the 'package.json' or 'pom.xml' as the developer types.

Xray highlights vulnerable libraries in the code editor.

Developer selects 'Auto-remediate' to upgrade the library version immediately.

Create a 'Base Images' repository in Artifactory.

Set an Xray watch on this repository.

Schedule daily scans to catch new vulnerabilities in static base images.

Automatically promote images that pass scanning to a 'Certified' repository.

Integrate Xray into the Git pre-commit hook.

Scan Terraform files for misconfigurations (e.g., 'public_read' on S3).

Block the commit if high-risk misconfigurations are found.

Report the findings in the Xray centralized dashboard.

Xray utilizes its curated database to flag packages that show 'malicious' patterns.

The proxy (Artifactory Remote Repo) blocks the download of the malicious package.

Security teams receive an immediate alert regarding the attempted use of malware.

Upload the target company's artifacts to a private JFrog instance.

Run a full platform scan with Xray.

Export a comprehensive risk report covering security and licenses.

Present the 'Risk Scorecard' as part of the acquisition valuation.