Appearance
JFrog Advanced Security Capabilities
Contextual Analysis of CVEs:
Vulnerability Contextual Analysis leverages the context to eliminate false positives, ensuring that only relevant vulnerabilities are flagged. This is achieved through automated scanners that analyze how the 1st party code is using the 3rd party OSS libraries, identifying reachable paths for detected vulnerabilities. The analysis produces justification on why the CVE was flagged with the determined status, including information on what the scanner looks for, so developers can be educated, learn, and examine their code.
Key Benefits
- Reduces false positives – Filters out vulnerabilities that don’t impact your software today.
- Provides actionable insights – Highlights vulnerabilities with real-world impact. In the case of binary analysis, there is more context that allows for the analysis of the complete codebase from an attacker's perspective, identifying which issues are truly exploitable and what their potential impact is.
- Actionable remediation: Enables targeted mitigation based on the actual code, artifact, build, or Release Bundle.
- Seamless integration for developers – View results directly in your IDE, CLI, PR decoration (Frogbot), and the JFrog Platform.
Secrets Scans
JFrog Advanced Security helps prevent the accidental exposure of secrets such as API keys, passwords, and tokens through its comprehensive secrets detection and token validation capabilities. By scanning both source code and binary artifacts, it ensures sensitive data is never exposed to unauthorized users, making it a powerful secrets prevention solution.
Supported Secret Types
- Access Tokens (Keys): Detects structured access tokens in both text and binary files, such as API keys, OAuth tokens, and private tokens. Token Validation enhances secret detection by verifying the validity of detected tokens and distinguishing between active and inactive tokens by authenticating against the token provider.
- Certificate & Private Key Detection: Identifies issues in X.509 PEM and DER certificates, including: Certificates containing private keys Expired certificates Self-signed certificates
- High Entropy Textual Secrets: Detects high-entropy secrets in source code and config files, such as passwords and secret keys with high randomness.
- URL Secrets Detection: Detects embedded credentials in URLs (e.g., https://username:password@mydomain.com)
Misconfigurations Scans
Jfrog Advanced Security identifies security misconfigurations that can leave your applications vulnerable. By scanning for misconfigurations across your infrastructure, services, and applications. A key differentiator of JFrog Advanced Security is its focus on real security risks in Infrastructure as Code (IaC) scanning. Unlike common IaC tools that report many low-severity issues with little impact, JFrog Advanced Security provides detailed severity ratings, allowing teams to identify and address actual security risks. By focusing on the most critical misconfigurations and providing severity ratings that other tools lack, it ensures that security efforts are directed toward genuine threats.
Examples of Detected Misconfigurations:
- Insufficient access restrictions to services (public access to repositories, publicly accessible clusters, globally readable/deletable/writeable buckets, use of admin roles in ECS services, IAM users with privileged access to all resources, enforce authorization for all API Gateway methods)
- Insecure use of credentials (use of hardcoded credentials)
- Allowing weak crypto algorithms (use of weak cipher suites)
- Running batches in privileged mode
- Enforcement of secure communication (listening to HTTP, unencrypted communications)
- Wildcard actions in Glue policies