Try JFrog
Guides
Contact SupportTry JFrog
  1. Install Individual Products
  2. Individual JFrog Products Installation
  3. Catalog Installation

Installing Curation

Catalog and Curation are interconnected products. Curation relies on the Catalog to access data about package vulnerabilities. Without the Catalog, Curation cannot function. Curation is a component of Xray. Curation is also installed when you install Xray. If you have the necessary Curation entitlement, you can enable it through the UI. Although part of the general Xray installation, the Catalog is installed separately on a Self-Hosted environment.

  • Prevention at Entry (Curation + Catalog): Before any OSS package is introduced into your development pipeline, Curation consults the Catalog to assess its risk profile. This proactive approach ensures that only vetted and approved packages are allowed entry, minimizing the chance of introducing vulnerabilities or non-compliant components.
  • Continuous Monitoring (Xray): Once packages are part of your environment, Xray takes over by continuously scanning them for new vulnerabilities or compliance issues that may arise over time. This ensures that your software remains secure and compliant throughout its lifecycle. In essence, Catalog provides the critical data, Curation acts as the initial filter to block risky components from entering your system, and Xray offers ongoing surveillance to detect and address issues in the components you are already using. This integrated approach fortifies your software supply chain, ensuring robust security and compliance from the outset and throughout the development process.
📘

SaaS users: skip this. JFrog deploys and configures Curation for you automatically.

Prerequisites

RequirementMinimum
JFrog subscriptionEnterprise X or Enterprise+
Artifactory version7.63.5
Xray version (no proxy)3.78.2
Xray version (behind proxy)3.82.11

Check your versions:

GET https://<your-domain>/artifactory/api/system/version
GET https://<your-domain>/xray/api/v1/system/version

Installation Steps

  1. Install / Upgrade Xray. Curation is bundled with Xray, so installing Xray installs Curation. If you already have Xray at the minimum version above, skip to step 2.
📘

If you run an Xray cluster, apply every step on every cluster node.

  1. Install JFrog Catalog Catalog as it is a separate install on self-hosted, and Curation will not function without it (Curation queries Catalog for package risk data). Choose one:
  2. Enable JFConnect in Artifactory
    1. Edit your JFrog Platform system.yaml and add this at the global level:
jfconnect: 
  enabled: true

If you sit behind a proxy, use this instead:

jfconnect: 
  enabled: true 
  env:
    http_proxy: "http://yourproxyaddress"
    https_proxy: "http://yourproxyaddress"
     no_proxy: "localhost,127.0.0.1"

Restart the JFrog Platform after editing.

  1. Confirm your Curation entitlement
GET https://<your-domain>/ui/api/v1/jfconnect/entitlements

Look for a curation entry in the response, e.g.:

json{
  "name": "curation",
  "value": 1,
  "expiryDate": "2026-07-20T00:00:00.000Z",
  "isTrial": true,
  "blockingQuantity": 1
}
  • Empty response → JFConnect isn't running properly. Recheck step 3, then contact JFrog support if it still fails.
  • Response present but no curation entry → your account isn't entitled. Contact your JFrog sales rep or support.
  1. Hit the Curation health endpoint: 
    curl -u <username>:<password> https://<your-domain>/xray/ui/curation/internal/health

You will see:

{
  "JFConnect": "OK",
  "Entitlements": "OK",
  "Catalog": "OK"
}

If everything reads OK, Curation is installed and ready to use. You can also view this in the UI at

https://<your-domain>/xray/ui/curation/internal/health

Updated 1 day ago