Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. Products/Concepts

Advanced Security

The Advanced Security Add-on is available with the Enterprise X or Enterprise+ license.

JFrog Advanced Security provides scanning for source code and binaries using JFrog-developed analysis engines. It identifies security issues across the software development lifecycle, including problems in first-party code, third-party dependencies, secrets, misconfigurations, and infrastructure-as-code (IaC).

The JFrog Static Application Security Testing (SAST) engine scans first-party code to detect vulnerabilities through cross-file semantic analysis. Scans run locally, so source code is not sent outside the environment. The engine analyzes areas such as database access, external connections, operating system commands, and other operations that can introduce security risk, and provides remediation guidance to support fixing issues during development.

Third-Party CVEs and Contextual Analysis

JFrog Advanced Security enhances the results from JFrog Xray by performing contextual analysis on third-party dependencies. This engine determines whether detected CVEs are relevant to your specific first-party code, helping you focus on the vulnerabilities that matter most. With continuous updates from JFrog’s Security Research team, it filters out irrelevant issues, reducing noise and prioritizing critical threats. You can directly request JFrog Research to investigate a specific CVE for enhanced information or even ask for a new contextual analysis scanner if one does not already exist. Read all about our research team here.

Secrets and Misconfiguration Detection

Advanced Security helps prevent accidental exposure of Secrets such as API keys, passwords, and tokens through its secrets detection capabilities. In addition, it scans for misconfigurations across applications, services, and Infrastructure as Code (IaC). By identifying weak security practices and insecure configurations early, JFrog Advanced Security prevents these risks from becoming exploitable vulnerabilities in production.

Where Advanced Security Fits in the JFrog Security Timeline

Code Development (Developers)Scans first-party code with SAST to detect vulnerabilities like SQL injection, command execution risks, and insecure authentication. Identifies hardcoded Secrets and misconfigurations in code. Scans dependencies in IDEs & CLI before committing code.
Code Merge (SCM)Scans dependencies using Frogbot to ensure pull requests do not introduce security issues. Can auto-fix risky dependencies and identify contextually relevant **vulnerabilities in third-party libraries.
Build & Package (CI/CD Security)Scans builds in CI/CD pipelines to detect vulnerabilities and malicious components. Performs Contextual Analysis to assess whether detected CVEs are exploitable within the specific application. Identifies secrets and infrastructure misconfigurations.
Artifact Management (Repository Security)Continuously scans Artifactory repositories for security, compliance, and operational risks. Enforces security policies, detects malicious packages, a**nd verifies the integrity of stored artifacts.
Release Validation (Pre-Deployment Security)Scans release bundles before promotion or distribution to ensure compliance, security, and integrity. Confirms that vulnerabilities are not actively exploitable in** the final packaged software.
Production & Runtime Security (Requires JFrog Runtime)Monitors for newly discovered vulnerabilities in deployed artifacts. Validates if vulnerable code is loaded into memory, reducing false positives and prioritizing real threats. Detects integrity violations and untrusted registries in live environments.

Install Advanced Security (for Self-Hosted Customers Only) The Advanced Security installation instructions can be found here.It is a best practice to keep the JFrog Advanced Security Readiness Checking enabled.

Business Needs

  • Business Needs for JFrog Advanced Security As security threats become more sophisticated, organizations require deeper, more contextual security insights beyond traditional vulnerability scanning. JFrog Advanced Security provides a holistic approach to protecting the software supply chain by detecting critical risks across source code, binaries, infrastructure-as-code (IaC), and runtime environments. Key concerns include:
  • Context-Aware Vulnerability Detection Traditional vulnerability scanners generate excessive noise, overwhelming teams with irrelevant results. JFrog Advanced Security’s Contextual Analysis prioritizes risks by analyzing whether a detected CVE is truly exploitable based on how dependencies are used within first-party code. This reduces false positives and ensures teams focus on the vulnerabilities that matter most.
  • Secrets and Misconfiguration Protection Leaked credentials and misconfigurations are leading causes of security breaches. Advanced Security scans for hardcoded secrets, API keys, and misconfigurations across applications, containers, and infrastructure, preventing unintended data exposure and reducing compliance risks.
  • Proactive Supply Chain Security Software supply chain attacks are on the rise, targeting third-party dependencies and build environments. Advanced Security detects malicious packages, typosquatting attacks, and package impersonation, ensuring organizations don’t unknowingly introduce compromised components into their software.
  • Deep Binary and Code Security Analysis Beyond dependency scanning, Advanced Security performs Static Application Security Testing (SAST) for first-party code, identifying vulnerabilities like SQL injection, insecure authentication, and command execution risks. It also analyzes compiled binaries for additional security flaws undetectable in source code alone.
  • Automated Compliance and Policy Enforcement Meeting regulatory requirements like SOC 2, ISO 27001, and NIST can be challenging. Advanced Security automates policy enforcement and security monitoring, integrating with existing workflows (JIRA, webhooks) to ensure compliance without slowing down development.
  • Reducing Security Team Overhead With security shifting left, developers need tools that enhance security without disrupting workflows. JFrog Advanced Security integrates into IDEs, CI/CD pipelines, and repositories, automating remediation suggestions and enabling teams to fix issues early, minimizing manual effort and increasing efficiency.

Updated about 2 months ago