GitHub Advanced Security: Unified Security view
Note: Available for EnterpriseX and Enterprise+ with JFrog Advanced Security
Value
Provides a unified view of JFrog security findings within GitHub Advanced Security dashboards.
Enables developers and security teams to review vulnerabilities directly within GitHub.
How it Works
- JFrog security findings (Xray and JFrog Advanced Security) are sent to GitHub
- The findings appear in the GitHub Advanced Security dashboard under Code Scanning section_
Upload of JFrog security findings to GHAS Code scanning can be achieved in each of the following methods:
- During pipeline scanning using the JFrog CLI:
- Add the github_token secret to the JFrog CLI context to provide the required permissions
use the JFrog CLI scanning commands - jf docker scan, jf build- scan.name: Setup JFrog CLI Β Β uses: jfrog/setup-jfrog-cli@v4 Β Β env: Β Β Β Β JF_URL: https://${{ vars.JF_URL }}/ Β Β Β Β JF_PROJECT: ${{ vars.JF_PROJECT }} Β Β with: Β Β Β Β oidc-provider-name: <OIDC integration name set on JFrog platform> - Automatically without providing the github_token to the JFrog CLI:
- Install the "JFrog for GitHub App"
- Contact JFrog support to activate the feature.
- Once activated, every build-info scan done by Xray will upload the results to GHAS code scanning section using the GitHub app token.
Additional Information
Requirements:
- GitHub Code Security
Notes:
- Without GitHub Advanced Security, findings are still available in JFrog.
- Frogbot automatically uploads JFrog results to GHAS Code Scanning section automatically as it has the GitHub token as part of its operation.
Updated about 2 months ago