diff --git a/jfrog-applications/.gitbook/assets/build-info-summary.png b/jfrog-applications/.gitbook/assets/build-info-summary.png index 27f5de3..4822d43 100644 Binary files a/jfrog-applications/.gitbook/assets/build-info-summary.png and b/jfrog-applications/.gitbook/assets/build-info-summary.png differ diff --git a/jfrog-applications/frogbot/setup-frogbot-using-github-actions.md b/jfrog-applications/frogbot/setup-frogbot-using-github-actions.md index 7de8022..77d397f 100644 --- a/jfrog-applications/frogbot/setup-frogbot-using-github-actions.md +++ b/jfrog-applications/frogbot/setup-frogbot-using-github-actions.md @@ -2,22 +2,23 @@ ### Github Prerequisites -* Go to your repository's **settings** tab and save the JFrog connection details as repository secrets with the following names: - * **JF\_URL** (JFrog Platform URL - Example: `https://acme.jfrog.io`) - > You can also use **JF\_XRAY\_URL** and **JF\_ARTIFACTORY\_URL** instead of **JF\_URL** - * **JF\_ACCESS\_TOKEN** (JFrog access token) - > You can also use **JF\_USER** + **JF\_PASSWORD** instead of **JF\_ACCESS\_TOKEN**. - > - > - > Instead of using **JF\_ACCESS\_TOKEN** and providing an access token as a GitHub secret, you can utilize the GitHub [OpenID Connect (OIDC)](#authenticating-using-openid-connect-oidc) authentication protocol. - * **JF\_GIT\_TOKEN** (GitHub token) - > You can utilize [${{secrets.GITHUB_TOKEN}}](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) for **JF_GIT_TOKEN**, which is an automatically generated token by GitHub. - > However, this option comes with a limitation: a workflow, such as Frogbot itself, cannot trigger another workflow. Consequently, if you have additional workflows intended to activate upon the creation of a new pull request, they might not be initiated. - > To resolve this issue, you can generate a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) and use it as JF_GIT_TOKEN. - +* Go to your repository's **settings** tab and save the JFrog connection details as repository secrets with the following names: -![](../.gitbook/assets/github-repository-secrets.png) + * **JF\_URL** (JFrog Platform URL - Example: `https://acme.jfrog.io`) + + > You can also use **JF\_XRAY\_URL** and **JF\_ARTIFACTORY\_URL** instead of **JF\_URL** + + * **JF\_ACCESS\_TOKEN** (JFrog access token) + + > You can also use **JF\_USER** + **JF\_PASSWORD** instead of **JF\_ACCESS\_TOKEN**. + > + > Instead of using **JF\_ACCESS\_TOKEN** and providing an access token as a GitHub secret, you can utilize the GitHub [OpenID Connect (OIDC)](setup-frogbot-using-github-actions.md#authenticating-using-openid-connect-oidc) authentication protocol. + * **JF\_GIT\_TOKEN** (GitHub token) + + > You can utilize [$\{{secrets.GITHUB\_TOKEN\}}](https://docs.github.com/en/actions/security-guides/automatic-token-authentication) for **JF\_GIT\_TOKEN**, which is an automatically generated token by GitHub. However, this option comes with a limitation: a workflow, such as Frogbot itself, cannot trigger another workflow. Consequently, if you have additional workflows intended to activate upon the creation of a new pull request, they might not be initiated. To resolve this issue, you can generate a [personal access token](https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/managing-your-personal-access-tokens) and use it as JF\_GIT\_TOKEN. + +![](../.gitbook/assets/github-repository-secrets.png) * Under **Actions** > **General**, check the **Allow GitHub Actions to create and approve pull requests** check box. @@ -30,50 +31,40 @@ ### Frogbot GitHub Action Templates 1. Begin by cloning the GitHub repository to your local environment. - 2. Switch to the target branch where you'd like the pull requests to be scanned. - 3. Create a file named **frogbot-scan-pull-request.yml**. Fill it with the provided [template](templates/github-actions/frogbot-scan-pull-request.yml), and then push it into the **.github/workflows** directory at the root of your GitHub repository. - 4. Return to the default branch. - 5. Now, create a file named **frogbot-scan-repository.yml**. Again, populate it with the provided [template](templates/github-actions/frogbot-scan-repository.yml) and push it into the **.github/workflows** directory at the root of your GitHub repository. -
+\ + +
-Authenticating using OpenID Connect (OIDC) -#### General +Authenticating using OpenID Connect (OIDC) -The sensitive connection details, such as the access token used by JFrog Frogbot, can be automatically generated by the action instead of storing it as a secret in GitHub. -This is made possible by leveraging the OpenID-Connect (OIDC) protocol. This protocol can authenticate the workflow issuer and supply a valid access token. Learn more about this integration in [this](https://jfrog.com/blog/secure-access-development-jfrog-github-oidc) blog post. -To utilize the OIDC protocol, follow these steps: +**General** -#### JFrog Platform configuration +The sensitive connection details, such as the access token used by JFrog Frogbot, can be automatically generated by the action instead of storing it as a secret in GitHub. This is made possible by leveraging the OpenID-Connect (OIDC) protocol. This protocol can authenticate the workflow issuer and supply a valid access token. Learn more about this integration in [this](https://jfrog.com/blog/secure-access-development-jfrog-github-oidc) blog post. To utilize the OIDC protocol, follow these steps: -1. **Configure an OIDC Integration**: This phase sets an integration between GitHub Actions to the JFrog platform.
- A) Navigate to the Administration tab In the JFrog Platform UI
- B) Click `General` | `Manage Integrations`
- C) Click `New Integration` | `OpenID Connect`:
- ![](../.gitbook/assets/oidc-new-integration.png)
- D) Configure the OIDC integration:
- ![](../.gitbook/assets/oidc-configure-integration.png) +**JFrog Platform configuration** -| NOTE: | -|--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| The value specified as the 'Provider Name' should be used as the 'oidc-provider-name' input in [Workflow configuration step 2](#workflowstep2) below. | -| The 'Audience' field does NOT represent the 'aud' claim that can be added into identity-mapping configured in the 'Claims JSON' (shown below). Only claims that are included in the 'Claims Json' created during step 2 will be validated. | +1. **Configure an OIDC Integration**: This phase sets an integration between GitHub Actions to the JFrog platform.\ + A) Navigate to the Administration tab In the JFrog Platform UI\ + B) Click `General` | `Manage Integrations`\ + C) Click `New Integration` | `OpenID Connect`:\ + ![](../.gitbook/assets/oidc-new-integration.png)\ + D) Configure the OIDC integration:\ + ![](../.gitbook/assets/oidc-configure-integration.png) -
+ 2. **Configure an identity mapping**: This phase sets an integration between a particular GitHub repository to the JFrog platform. - An identity mapping is a configuration object utilized by the JFrog Platform to associate incoming OIDC claims with particular selected fields. These fields might include `repository`, `actor`, `workflow`, and others. - To configure the identity mapping, click on the identity mapping created in section 1 and then click on `Add Identity Mapping`. In the 'priority' field insert the value '1' and fill in the rest of the required fields:
+ An identity mapping is a configuration object utilized by the JFrog Platform to associate incoming OIDC claims with particular selected fields. These fields might include `repository`, `actor`, `workflow`, and others. To configure the identity mapping, click on the identity mapping created in section 1 and then click on `Add Identity Mapping`. In the 'priority' field insert the value '1' and fill in the rest of the required fields:\ ![](../.gitbook/assets/oidc-identity-mapping.png) - You have the flexibility to define any valid list of claims required for request authentication. You can check a list of the possible claims [here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token). - Example Claims JSON: + You have the flexibility to define any valid list of claims required for request authentication. You can check a list of the possible claims [here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#understanding-the-oidc-token). Example Claims JSON: ```json { @@ -81,7 +72,7 @@ To utilize the OIDC protocol, follow these steps: } ``` -### Workflow configuration +#### Workflow configuration 1. **Set required permissions**: In the course of the protocol's execution, it's imperative to acquire a JSON Web Token (JWT) from GitHub's OIDC provider. To request this token, it's essential to configure the specified permission in the workflow file: @@ -89,20 +80,18 @@ To utilize the OIDC protocol, follow these steps: permissions: id-token: write ``` - -
- -2. **Pass the 'oidc-provider-name' input to the Action (Required)**: The 'oidc-provider-name' parameter designates the OIDC configuration whose one of its identity mapping should align with the generated JWT claims. This input needs to align with the 'Provider Name' value established within the OIDC configuration in the JFrog Platform. -3. **Pass the 'oidc-audience' input to the Action (Optional)**: The 'oidc-audience' input defines the intended recipients of an ID token (JWT), ensuring access is restricted to authorized recipients for the JFrog Platform. By default, it contains the URL of the GitHub repository owner. It enforces a condition, allowing only workflows within the designated repository/organization to request an access token. Read more about it [here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-audience-value). +2. **Pass the 'oidc-provider-name' input to the Action (Required)**: The 'oidc-provider-name' parameter designates the OIDC configuration whose one of its identity mapping should align with the generated JWT claims. This input needs to align with the 'Provider Name' value established within the OIDC configuration in the JFrog Platform. +3. **Pass the 'oidc-audience' input to the Action (Optional)**: The 'oidc-audience' input defines the intended recipients of an ID token (JWT), ensuring access is restricted to authorized recipients for the JFrog Platform. By default, it contains the URL of the GitHub repository owner. It enforces a condition, allowing only workflows within the designated repository/organization to request an access token. Read more about it [here](https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#customizing-the-audience-value). Example step utilizing OpenID Connect: ```yml - uses: jfrog/frogbot@v2 env: - JF_URL: ${{ secrets.JF_URL }} + JF_URL: ${{ vars.JF_URL }} JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }} with: oidc-provider-name: frogbot-integration ``` -
\ No newline at end of file + + diff --git a/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-pull-request.yml b/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-pull-request.yml index 36cc638..df77d39 100644 --- a/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-pull-request.yml +++ b/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-pull-request.yml @@ -18,7 +18,7 @@ jobs: env: # [Mandatory] # JFrog platform URL - JF_URL: ${{ secrets.JF_URL }} + JF_URL: ${{ vars.JF_URL }} # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service diff --git a/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-repository.yml b/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-repository.yml index 49c7d2b..1291bfc 100644 --- a/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-repository.yml +++ b/jfrog-applications/frogbot/templates/github-actions/frogbot-scan-repository.yml @@ -22,7 +22,7 @@ jobs: env: # [Mandatory] # JFrog platform URL - JF_URL: ${{ secrets.JF_URL }} + JF_URL: ${{ vars.JF_URL }} # [Mandatory if JF_USER and JF_PASSWORD are not provided] # JFrog access token with 'read' permissions on Xray service diff --git a/jfrog-applications/jfrog-cli/cli-command-summaries.md b/jfrog-applications/jfrog-cli/cli-command-summaries.md index 9852224..69331cf 100644 --- a/jfrog-applications/jfrog-cli/cli-command-summaries.md +++ b/jfrog-applications/jfrog-cli/cli-command-summaries.md @@ -4,29 +4,19 @@ The **Command Summaries** feature enables the recording of JFrog CLI command outputs into the local file system. This functionality can be used to generate a summary in the context of an entire workflow -(a sequence of JFrog CLU commands) and not only in the scope of a specific command. - -Each command execution that incorporates this feature can save data files into the file system. -These files are then used to create an aggregated summary in Markdown format. - -Saving data to the filesystem is essential because CLI command executes in separate contexts. -Consequently, each command that records new data should also incorporate any existing data into the aggregated markdown. -This is required because the CLI cannot determine when a command will be the last one executed in a sequence of commands. - +(a sequence of JFrog CLI commands) and not only in the scope of a specific command. An instance of how **Command Summaries** are utilized can be observed in the [setup-cli GitHub action](https://github.com/jfrog/setup-jfrog-cli/blob/master/README.md#JFrog-Job-Summary). This action employs the compiled markdown to generate a comprehensive summary of the entire workflow. ### Currently supported commands: -`jf rt upload` - -![rt-upload-summary-example](../.gitbook/assets/rt-upload-summary.png) - - `jf rt build-publish` ![rt-upload-summary-example](../.gitbook/assets/build-info-summary.png) +`jf rt upload` + +![rt-upload-summary-example](../.gitbook/assets/rt-upload-summary.png) `jf scan ` @@ -37,10 +27,15 @@ This action employs the compiled markdown to generate a comprehensive summary of ![jf-scan-example](../.gitbook/assets/jf-build-scan-summary.png) + ## Notes for Developers -To use the **Command Summaries**, you'll need to set the `JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR` environment variable. -This variable designates the directory where the data files and markdown files will be stored. +Each command execution that incorporates this feature can save data files into the file system. +These files are then used to create an aggregated summary in Markdown format. + +Saving data to the filesystem is essential because CLI command executes in separate contexts. +Consequently, each command that records new data should also incorporate any existing data into the aggregated markdown. +This is required because the CLI cannot determine when a command will be the last one executed in a sequence of commands. ### ⚠️ Attention: Files Remain After CLI Execution The CLI does not automatically remove the files as they are designed to remain beyond a single execution. @@ -48,9 +43,16 @@ As a result, it is your responsibility to you to manage your pipelines and delet You can clear the entire directory of `JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR` that you have configured to activate this feature. + +To use the **Command Summaries**, you'll need to set the `JFROG_CLI_COMMAND_SUMMARY_OUTPUT_DIR` environment variable. +This variable designates the directory where the data files and markdown files will be stored. + + ### How to Implement? -If you wish to implement your own summary, follow these steps: +If you wish to contribute a new CLI command summary to the existing ones, +you can submit a pull request once you've followed these implementation guidelines: + 1. Implement the CommandSummaryInterface 2. Record data during runtime diff --git a/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/generic-files.md b/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/generic-files.md index 293a6e9..99f8f0c 100644 --- a/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/generic-files.md +++ b/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/generic-files.md @@ -46,8 +46,9 @@ This command is used to upload files to Artifactory. | `--retry-wait-time` |

[Default: 0s]
Number of seconds or milliseconds to wait between retries. The numeric value should either end with s for seconds or ms for milliseconds (for example: 10s or 100ms).

| | `--detailed-summary` |

[Default: false]
Set to true to include a list of the affected files as part of the command output summary.

| | `--insecure-tls` |

[Default: false]
Set to true to skip TLS certificates verification.

| -| `--min-split` |

[Default: 200]
The minimum file size in MiB required to attempt a multi-part upload. This option, as well as the functionality of multi-part upload, requires Artifactory with S3 storage.

| -| `--split-count` |

[Default: 5]
The maximum number of parts that can be concurrently uploaded per file during a multi-part upload. Set to 0 to disable multi-part upload. This option, as well as the functionality of multi-part upload, requires Artifactory with S3 storage.

| +| `--chunk-size` |

[Default: 20]
The upload chunk size in MiB that can be concurrently uploaded during a multi-part upload. This option, as well as the functionality of multi-part upload, requires Artifactory with S3 or GCP storage.

| +| `--min-split` |

[Default: 200]
The minimum file size in MiB required to attempt a multi-part upload. This option, as well as the functionality of multi-part upload, requires Artifactory with S3 or GCP storage.

| +| `--split-count` |

[Default: 5]
The maximum number of parts that can be concurrently uploaded per file during a multi-part upload. Set to 0 to disable multi-part upload. This option, as well as the functionality of multi-part upload, requires Artifactory with S3 or GCP storage.

| ### Examples #### Example 1 diff --git a/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration.md b/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration.md index bcab0d2..32c6212 100644 --- a/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration.md +++ b/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration.md @@ -53,7 +53,7 @@ The following table lists the command arguments and flags: #### Deploying Maven Artifacts -The deployment to Artifacts is triggered both by the deployment and install phases. To disable artifacts deployment, add\*\* **-Dartifactory.publish.artifacts=false** to the list of goals and options. For example: "**clean install**\*\*-Dartifactory.publish.artifacts=false"\*\* +The deployment to Artifacts is triggered both by the deployment and install phases. To disable artifacts deployment, add **-Dartifactory.publish.artifacts=false** to the list of goals and options. For example: "**jf mvn clean install -Dartifactory.publish.artifacts=false**" #### Example @@ -61,7 +61,7 @@ The deployment to Artifacts is triggered both by the deployment and install phas Run clean and install with maven. ``` -jf mvn clean install -f path/to/pom-file +jf mvn clean install -f /path/to/pom.xml ``` ## Running Gradle Builds diff --git a/jfrog-applications/jfrog-cli/cli-for-jfrog-curation.md b/jfrog-applications/jfrog-cli/cli-for-jfrog-curation.md index 2bf9dce..2d78d94 100644 --- a/jfrog-applications/jfrog-cli/cli-for-jfrog-curation.md +++ b/jfrog-applications/jfrog-cli/cli-for-jfrog-curation.md @@ -13,9 +13,11 @@ The 'curation-audit' is a JFrog CLI command designed for developers to scan thei For a full list of the package managers and build systems supported by the curation-audit command and the required Artifactory and Xray versions to use it please see: https://jfrog.com/help/r/jfrog-curation/curation-support-matrix curation-audit command supported package managers and build systems: + * Npm (npm) * Maven (mvn) - Requires xray 3.92 and above, and Artifactory 7.82 and above * Pip (pip) - Requires xray 3.92 and above, and Artifactory 7.82 and above + *** ### Commands @@ -26,44 +28,38 @@ Audit your Project with JFrog CLI curation-audit command Prerequisites: -Make sure your JFrog Artifactory admin configured the curated remote repository you are using during your build process. For more information refer your Artifactory admin to: -https://jfrog.com/help/r/jfrog-curation/configure-curation-pass-through +Make sure your JFrog Artifactory admin configured the curated remote repository you are using during your build process. For more information refer your Artifactory admin to: https://jfrog.com/help/r/jfrog-curation/configure-curation-pass-through -1. **Connect JFrog CLI to JFrog Platform** +1. **Connect JFrog CLI to JFrog Platform** - Connect the JFrog CLI to your JFrog Platform instance by running the following command: + Connect the JFrog CLI to your JFrog Platform instance by running the following command: ``` jf c add ``` - - When prompted for the access token, use the token generated from Artifactory. For more details, refer to the [adding and editing configured servers documentation](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/configurations/jfrog-platform-configuration#adding-and-editing-configured-servers). + * When prompted for the access token, use the token generated from Artifactory. For more details, refer to the [adding and editing configured servers documentation](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/configurations/jfrog-platform-configuration#adding-and-editing-configured-servers). ``` jf c show ``` - - It should present Artifactory server just added (with default true) -

-2. **Configure JFrog CLI for Project**
- Ensure your project is configured in the JFrog CLI with the repository you would like to resolve dependencies from. Here are details for each package manager: - - - **NPM:** - - - Set the resolved repository using the [**jf npmc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-npm-repositories) command inside the project directory. + * It should present Artifactory server just added (with default true)\ + \ - - **MAVEN:** - - - Set the resolved repository using the [**jf mvnc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-maven-repositories) command inside the project directory. - - - **PIP:** - - - Set the resolved repository using the [**jf pipc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-python-repository) command inside the project directory (The only package installer supported for now by Python is "pip"). +2. **Configure JFrog CLI for Project**\ + Ensure your project is configured in the JFrog CLI with the repository you would like to resolve dependencies from. Here are details for each package manager: + * **NPM:** + * Set the resolved repository using the [**jf npmc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-npm-repositories) command inside the project directory. + * **MAVEN:** + * Set the resolved repository using the [**jf mvnc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-maven-repositories) command inside the project directory. + * **PIP:** + * Set the resolved repository using the [**jf pipc**](https://docs.jfrog-applications.jfrog.io/jfrog-applications/jfrog-cli/cli-for-jfrog-artifactory/package-managers-integration#setting-python-repository) command inside the project directory (The only package installer supported for now by Python is "pip"). #### Commands Params | | | -|-----------------------|---------------------------------------------------------------------------------------------------------------------------------------| +| --------------------- | ------------------------------------------------------------------------------------------------------------------------------------- | | **Command name** | curation-audit | | **Abbreviation** | ca | | **Command options** | | @@ -72,7 +68,6 @@ https://jfrog.com/help/r/jfrog-curation/configure-curation-pass-through | `--threads` |

[Default: 3]

The number of parallel threads used to determine the curation status for each package in the project tree.

| | `--requirements-file` |

[Optional] [Pip]

Defines pip requirements file name. For example: 'requirements.txt'

| - #### Example 1 Curation-Audit the project in the current directory. Displays all known packages that were blocked by Curation Policies. @@ -96,4 +91,3 @@ Curation-Audit the project in the current directory using 5 threads to check the ``` jf curation-audit --threads=5 ``` - diff --git a/jfrog-applications/jfrog-cli/cli-for-jfrog-security/enrich-your-sbom.md b/jfrog-applications/jfrog-cli/cli-for-jfrog-security/enrich-your-sbom.md new file mode 100644 index 0000000..4cd03ba --- /dev/null +++ b/jfrog-applications/jfrog-cli/cli-for-jfrog-security/enrich-your-sbom.md @@ -0,0 +1,43 @@ +# Enrich your SBOM JSONs & XMLs + +The sbom enrichment command takes an exported SBOM file in XML/JSON format and enriches your +file with package vulnerabilities found by XRAY. + +This _**jf sbom enrich **_ command enriches a file that is found on file_path. + +*** + +**Note** + +> This command requires: + +* Version X or above of Xray +* Version Y or above of JFrog CLI + +*** + +#### Commands Params + +| | | +|-----------------------|-----------------------------------------------------------------------------------------------------------------------------------------| +| **Command name** | sbom-enrich | +| **Abbreviation** | se | +| **Command options** | | +| `--server-id` |

[Optional]
Server ID configured using the jf c add command. If not specified, the default configured server is used.

| +| **Command arguments** | + | `file_path` | the sbom file path. + +#### Example 1 + +Enriches an XML file + +``` +jf se "path/to/file.xml" +``` + +#### Example 2 +Enriches a JSON file +``` +jf se "path/to/files/file.json" +``` + diff --git a/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-binaries.md b/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-binaries.md index 8fe1649..0b83584 100644 --- a/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-binaries.md +++ b/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-binaries.md @@ -31,6 +31,7 @@ This _**jf scan**_ command scans files on the local file system with Xray. | `--watches` |

[Optional]
A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities.

| | `--licenses` |

[Default: false]
Set if you also require the list of licenses to be displayed.

| | --format=json |

[Optional]
Produces a JSON file containing the scan results.

| +| `--vuln` |

[Optional]
Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.

| | **Command arguments** | | | **Pattern** | Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards. | @@ -84,7 +85,7 @@ jf s "*.tgz" ### Scanning Docker Containers on the Local File System -This j\_**f docker scan**\_ command scans docker containers located on the local file-system using the _**docker client**_ and _**JFrog Xray**_. The containers don't need to be deployed to Artifactory or any other container registry before it can be scanned. +This _**jf docker scan**_ command scans docker containers located on the local file-system using the _**docker client**_ and _**JFrog Xray**_. The containers don't need to be deployed to Artifactory or any other container registry before it can be scanned. *** @@ -111,6 +112,7 @@ This j\_**f docker scan**\_ command scans docker containers located on the local | `--licenses` |

[Default: false]
Set if you also require the list of licenses to be displayed.

| | `--validate-secrets` |

[Default: false] Triggers token validation on found secrets

| | --format=json |

[Optional]
Produces a JSON file containing the scan results.

| +| `--vuln` |

[Optional]
Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.

| | **Command arguments** | | | **Pattern** | Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards. | diff --git a/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-source-code.md b/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-source-code.md index 0047cf5..b2cdc3d 100644 --- a/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-source-code.md +++ b/jfrog-applications/jfrog-cli/cli-for-jfrog-security/scan-your-source-code.md @@ -35,43 +35,45 @@ This command also supports the following Advanced Scans with the **Advanced Secu #### Commands Params -| | | -|---------------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| -| **Command name** | audit | -| **Abbreviation** | aud | -| **Command options** | | -| `--server-id` |

[Optional]
Server ID configured using the jf c add command. If not specified, the default configured server is used.

| -| `--project` |

[Optional]
JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

| -| `--repo-path` |

[Optional]
Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

| -| `--watches` |

[Optional]
A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

| -| `--licenses` |

[Default: false]
Set if you'd also like the list of licenses to be displayed.

| -| `--format` |

[Default: table]
Defines the output format of the command. Acceptable values are: table and json.

| -| `--fail` |

[Default: true]
When using one of the flags --watches, --project or --repo-path and a Fail build rule is matched the command will return exit code 3. Set to false if you'd like to see violations with exit code 0.

| -| `--use-wrapper` |

[Default: false] [Gradle]
Set to true if you'd like to use the Gradle wrapper.

| -| `--dep-type` |

[Default: all] [npm]
Defines npm dependencies type. Possible values are: all, devOnly and prodOnly

| -| `--exclude-test-deps` |

[Default: false] [Gradle]
Set to true if you'd like to exclude Gradle test dependencies from Xray scanning.

| -| `--requirements-file` |

[Optional] [Pip]
Defines pip requirements file name. For example: 'requirements.txt'

| -| `--working-dirs` |

[Optional]
A comma-separated(,) list of relative working directories, to determine the audit targets locations.

If flag isn't provided, a recursive scan is triggered from the root directory of the project.

| -| `--exclusions` |

[Default: .git;node_modules;target;venv;test]
List of semicolon-separated(;) exclusions, utilized to skip sub-projects from undergoing an audit. These exclusions may incorporate the * and ? wildcards.

| -| `--fixable-only` |

[Optional]
Set to true if you wish to display issues that have a fix version only.

| -| `--min-severity` |

[Optional]
Set the minimum severity of issues to display. The following values are accepted: Low, Medium, High or Critical

| -| `--threads` |

[Default: 3]
The number of parallel threads used to scan the source code project.

| -| `--go` |

[Default: false]
Set to true to request audit for a Go project.

| -| `--gradle` |

[Default: false]
Set to true to request audit for a Gradle project.

| -| `--mvn` |

[Default: false]
Set to true to request audit for a Maven project.

| -| `--npm` |

[Default: false]
Set to true to request audit for a npm project.

| -| `--pnpm` |

[Default: false]
Set to true to request audit for a pnpm project.

| -| `--nuget` |

[Default: false]
Set to true to request audit for a .Net project.

| -| `--pip` |

[Default: false]
Set to true to request audit for a Pip project.

| -| `--pipenv` |

[Default: false]
Set to true to request audit for a Pipenv project.

| -| `--yarn` |

[Default: false]
Set to true to request audit for a Yarn project.

| -| `--sca` |

[Default: false] Selective scanners mode: Execute SCA (Software Composition Analysis) sub-scan. By default, runs both SCA and Contextual Analysis. Can be combined with --secrets, --sast, --iac, and --without-contextual-analysis.

| -| `--iac` |

[Default: false] Selective scanners mode: Execute IaC sub-scan. Can be combined with --sca, --secrets and --sast.

| -| `--secrets` |

[Default: false] Selective scanners mode: Execute Secrets sub-scan. Can be combined with --sca, --sast and --iac.

| -| `--sast` |

[Default: false] Selective scanners mode: Execute SAST sub-scan. Can be combined with --sca, --secrets and --iac.

| -| `--without-contextual-analysis` |

[Default: false] Selective scanners mode: Disable Contextual Analysis scanner after SCA. Relevant only with --sca flag.

| -| `--validate-secrets` |

[Default: false] Triggers token validation on found secrets

| -| **Command arguments** | The command accepts no arguments | + +| | | +|-----------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------| +| **Command name** | audit | +| **Abbreviation** | aud | +| **Command options** | | +| `--server-id` |

[Optional]
Server ID configured using the jf c add command. If not specified, the default configured server is used.

| +| `--project` |

[Optional]
JFrog project key, to enable Xray to determine security violations accordingly. The command accepts this option only if the --repo-path and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

| +| `--repo-path` |

[Optional]
Artifactory repository path, to enable Xray to determine violations accordingly. The command accepts this option only if the --project and --watches options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

| +| `--watches` |

[Optional]
A comma-separated(,) list of Xray watches, to enable Xray to determine violations accordingly. The command accepts this option only if the --repo-path and --repo-path options are not provided. If none of the three options are provided, the command will show all known vulnerabilities

| +| `--licenses` |

[Default: false]
Set if you'd also like the list of licenses to be displayed.

| +| `--format` |

[Default: table]
Defines the output format of the command. Acceptable values are: table and json.

| +| `--fail` |

[Default: true]
When using one of the flags --watches, --project or --repo-path and a Fail build rule is matched the command will return exit code 3. Set to false if you'd like to see violations with exit code 0.

| +| `--use-wrapper` |

[Default: false] [Gradle]
Set to true if you'd like to use the Gradle wrapper.

| +| `--dep-type` |

[Default: all] [npm]
Defines npm dependencies type. Possible values are: all, devOnly and prodOnly

| +| `--exclude-test-deps` |

[Default: false] [Gradle]
Set to true if you'd like to exclude Gradle test dependencies from Xray scanning.

| +| `--requirements-file` |

[Optional] [Pip]
Defines pip requirements file name. For example: 'requirements.txt'

| +| `--working-dirs` |

[Optional]
A comma-separated(,) list of relative working directories, to determine the audit targets locations.

If flag isn't provided, a recursive scan is triggered from the root directory of the project.

| +| `--exclusions` |

[Default: .git;node_modules;target;venv;test]
List of semicolon-separated(;) exclusions, utilized to skip sub-projects from undergoing an audit. These exclusions may incorporate the * and ? wildcards.

| +| `--fixable-only` |

[Optional]
Set to true if you wish to display issues that have a fix version only.

| +| `--min-severity` |

[Optional]
Set the minimum severity of issues to display. The following values are accepted: Low, Medium, High or Critical

| +| `--threads` |

[Default: 3]
The number of parallel threads used to scan the source code project.

| +| `--go` |

[Default: false]
Set to true to request audit for a Go project.

| +| `--gradle` |

[Default: false]
Set to true to request audit for a Gradle project.

| +| `--mvn` |

[Default: false]
Set to true to request audit for a Maven project.

| +| `--npm` |

[Default: false]
Set to true to request audit for a npm project.

| +| `--pnpm` |

[Default: false]
Set to true to request audit for a pnpm project.

| +| `--nuget` |

[Default: false]
Set to true to request audit for a .Net project.

| +| `--pip` |

[Default: false]
Set to true to request audit for a Pip project.

| +| `--pipenv` |

[Default: false]
Set to true to request audit for a Pipenv project.

| +| `--yarn` |

[Default: false]
Set to true to request audit for a Yarn project.

| +| `--sca` |

[Default: false] Selective scanners mode: Execute SCA (Software Composition Analysis) sub-scan. By default, runs both SCA and Contextual Analysis. Can be combined with --secrets, --sast, --iac, and --without-contextual-analysis.

| +| `--iac` |

[Default: false] Selective scanners mode: Execute IaC sub-scan. Can be combined with --sca, --secrets and --sast.

| +| `--secrets` |

[Default: false] Selective scanners mode: Execute Secrets sub-scan. Can be combined with --sca, --sast and --iac.

| +| `--sast` |

[Default: false] Selective scanners mode: Execute SAST sub-scan. Can be combined with --sca, --secrets and --iac.

| +| `--without-contextual-analysis` |

[Default: false] Selective scanners mode: Disable Contextual Analysis scanner after SCA. Relevant only with --sca flag.

| +| `--vuln` |

[Optional]
Set if you'd like to receive all vulnerabilities, regardless of the policy configured in Xray.

| +| `--validate-secrets` |

[Default: false] Triggers token validation on found secrets

| +| **Command arguments** | The command accepts no arguments | #### **Output Example** diff --git a/jfrog-applications/jfrog-cli/cli-plugins/developer-guide.md b/jfrog-applications/jfrog-cli/cli-plugins/developer-guide.md index cf0cb80..0d754c7 100644 --- a/jfrog-applications/jfrog-cli/cli-plugins/developer-guide.md +++ b/jfrog-applications/jfrog-cli/cli-plugins/developer-guide.md @@ -58,7 +58,7 @@ Well, plugins can do almost anything. The sky is the limit. 2. You can also add other Go packages to your *go.mod* and use them in your code. 3. You can package any external resources, such as executables or configuration files, and have them published alongside your plugin. Read more about - this [here](jfrog-cli-plugins-developer-guide.md#having-your-plugin-use-external-resources) + this [here](developer-guide.md#having-your-plugin-use-external-resources) ## Including plugins in the official registry