View Results in JFrog

We have built and published our NPM package and Docker image. Let’s view these results in JFrog Artifactory.

  1. Go to your JFrog Platform instance and switch to the Packages view in Artifactory. Go to ArtifactoryPackages.

  2. Type workshop-app and search. This will show the NPM package that was published with the JFrog CLI.

  3. Click on it to view the details. Npm Workshop App

  4. Click on the workshop-app:1.0.0 under the Published Modules tab to see the artifacts and dependencies.

  5. Go back to the Packages view and search for npm-app. This shows the Docker image that was published.

  6. Click on the docker npm-app listing. Npm App Package

  7. This will show a list of the versions. Click on the latest version that was built. Npm Build Published Modules

  8. In the Xray Data tab, view the security violations. License violations are available in the JFrog Platform Pro and Enterprise tiers. Npm Build Xray Data

  9. Click on Actions drop down and you can download SBOM as SPDX or CycloneDX. Xray sbom

  10. Click on Descendants tab to see at which particular layer your softaware is infected. Xray descendants

  11. Click on any violation to see the details and impact in the Issue Details tab. Npm Build Xray Detail

  12. Scroll down to the References section to access links to documentation that can help you remediate the issue. Npm Build Xray Detail References

    In many cases, you just need to update the component and Xray will indicate this. Npm Build Xray Detail Versions

Xray supports all major package types, understands how to unpack them, and uses recursive scanning to see into all of the underlying layers and dependencies of components, even those packaged in Docker images, and zip files. The comprehensive vulnerability intelligence databases are constantly updated giving the most up-to-date understanding of the security and compliance of your binaries and features like threat contextual analysis, git repo scanning, jira integration, SBOM support for the SPDX and CycloneDX standard formats and many more.

  1. Close the Issue Details tab.
  2. View the Docker configuration for the image in the Docker Layers tab.
  3. On the Builds tab, click on npm_build in the list. Npm Build List
  4. Then click on your most recent build.
  5. In the Published Modules tab, view the set of artifacts and dependencies for your build. Npm Published Modules

Our JFrog CLI CI/CD “pipeline” provided an overview of a typical build, docker build and push, security scan and promotion process using Artifactory and Xray.