Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. AppTrust
  2. Application Versions
  3. View Application Version Details

View the Risk Issues Detected in an Application Version

The Risk tab in AppTrust provides a consolidated view of risks across the application lifecycle, enabling teams to track and act on vulnerabilities both before and after release. This dual view helps address issues early in development while ensuring visibility into new threats that may arise in released versions.

Once detected, risks are tied to the evaluated application version and enforced according to the lifecycle policies you have defined. Pre-release violations are logged at lifecycle gates, while post-release monitoring continuously checks for new critical CVEs in trusted versions.

Pre-Release Risk Management

The Pre-Release section lists all triggered policy issues identified during lifecycle gate evaluations. Findings may include CVEs, secrets, malicious packages, or missing evidence.

Each entry shows:

  • Evaluation Decision – whether the gate failed or passed with a warning.
  • Evaluated Releasable – the impacted artifact, image, or build.
  • Finding Code – identifier of the vulnerability, misconfiguration, or secret.
  • Policy – the lifecycle policy that triggered the issue.

Review pre-release triggered issues

  1. Open the application’s Risk tab.
  2. In the Pre-Release section, review the list of triggered policy issues.
  3. Use filters on the right (by evaluation decision, releasable, or policy type) to narrow results.
  4. Click a Finding Code (e.g., CVE ID) to open the details pane with severity, contextual analysis, remediation options, and component details.
Post-Release Monitoring

The Post-Release section tracks trusted application versions for newly detected Critical CVEs. This allows teams to react quickly to emerging threats that were not present at release time.

Each CVE entry includes:

  • Releasable – the released version impacted.
  • CVE ID – with severity and CVSS score.
  • Contextual Analysis – whether the CVE is applicable.
  • Remediation Options – recommended upgrade paths or component fixes.

To monitor post-release risks

  1. In the Post-Release section, check for Newly Detected Critical CVEs.
  2. Review contextual analysis to confirm applicability.
  3. Click a CVE ID to view details, including CWE, severity, remediation options (Best Version, Quickest Fix, Least Vulnerable), and impacted components.
Remediating Issues

When risks are identified:

  1. Open the detailed finding view (CVE, secret, or malicious package).

  2. Review the remediation strategies offered, such as:

    • Best Version – recommended secure upgrade path.
    • Quickest Fix – fastest patch to remove the risk.
    • Least Vulnerable – option with the lowest exposure risk.

  3. Apply the recommended version or dependency update in your source code or build pipeline.

Updated 3 months ago