The JFrog Extension for Cursor seamlessly integrates JFrog Xray and JFrog Advanced Security into the developer workflow, enabling security scanning and remediation directly within the IDE. By identifying vulnerabilities, exposed secrets, and infrastructure misconfigurations as you code, the extension helps developers address security issues before they reach production—reducing risk and remediation costs. Developers gain inline security insights with clear contextual information and impact assessments, along with effortless remediation through fix recommendations and one-click dependency upgrades.

Package Manager Prerequisites

Go Projects

Prerequisite: Ensure that the Go CLI is installed and accessible in your system PATH.

The JFrog Cursor Extension scans all project dependencies, both direct and transitive, even if they are not explicitly declared in go.mod. To construct the Go dependencies tree, it runs go mod graph and intersects the results with go list -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' all.

Maven Projects

The extension builds the Maven dependencies tree by executing mvn dependency:tree. It enables developers to view licenses and top-issue severities directly from the pom.xml.

📘
Ensure Maven is installed and that the mvn command is available in your system PATH.
If your project includes the Maven Dependency Plugin with include/exclude configurations, scanning will be disabled.

For example:

      <plugins>
        <plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-dependency-plugin</artifactId>
          <configuration>
            <includes>org.apache.*</includes>
          </configuration>
        </plugin>
      </plugins>

Npm Projects

The extension builds the npm dependencies tree using npm list. It provides insights into licenses and top-issue severities directly from package.json.

Prerequisite:

Ensure the npm CLI is installed and in your system PATH.
Dependencies must be installed using npm install before scanning.

Yarn v1 Projects

The extension builds the Yarn dependencies tree using yarn list, displaying license and security issue details from yarn.lock.

Prerequisite:

Ensure the Yarn CLI is installed and in your system PATH
Yarn v2 is not yet supported

Pypi Projects

The extension constructs the PyPi dependencies tree using pipdeptree your Python virtual environment. It also relies on the Python interpreter path configured in the Cursor Python extension.

Prerequisites:

Install the Cursor Python extension.
Ensure Python (2 or 3) is available in your system PATH.
Set up and activate a virtual environment following Cursor documentation:
- Mac/Linux: source <venv-dir>/bin/activate
- Windows: .<venv-dir>\Scripts\activate
Install your project dependencies within the activated virtual environment.

.NET Projects

For .NET projects using NuGet packages, the extension visualizes the NuGet dependencies tree along with relevant details.

Prerequisites:

If your project defines NuGet dependencies in packages.config, ensure the nuget CLI is installed and available in your system PATH.
Restore project dependencies using nuget restore or dotnet restore before scanning.
Click the Refresh button after restoring dependencies to update the tree view.

Supported Technologies

JFrog Advanced Security Supported Technologies

See Jfrog Advanced Security supported technologies for:

Software Composition Analysis (SCA) Supported Technologies

For SCA, the command automatically detects your project's package manager and constructs the dependency graph; if the project hasn't been installed yet, the system executes an install command to generate the dependency tree for scanning.

Supported Package Managers for Cursor Code:

Go
Maven
npm
pnpm
Yarn
Pip
Pipenv
Poetry
.NET CLI
NuGet

Installation

The extension can be installed from the Cursor Extensions Marketplace. Once installed, a JFrog tab will appear in the activity bar.

Connect Cursor to the JFrog Platform

After installing the JFrog extension:

Click on the JFrog tab in the activity bar.
This will open the Sign-in page.
Fill in your connection details and click Sign In to start using the extension.
- To use custom URLs for Artifactory or Xray, click on Advanced.
- You can also choose alternative authentication methods:
  - Single Sign-On (SSO)
  - JFrog CLI's Connection Details

Connect Using SSO

On the sign-in page, click Continue with SSO.
Enter your JFrog platform URL and click Sign in With SSO.
You will be redirected to your SSO login page.
Once authenticated, you will be signed in to Cursor.

Connect Using JFrog CLI Connection Details

If JFrog CLI is installed and configured with your JFrog Platform details, a notification will appear on the Sign-in page, indicating automatic detection of credentials.

Troubleshooting

Should you the JFrog plugin not appear in the search bar, you can download it directly from Open VSX Registry.

Manage

Access Extension Settings

Click on the gear icon in the JFrog tab to access the extension settings.

Exclude Paths from Scan

By default, paths containing .git, test, venv, and node_modules are excluded from Xray scans. You can modify the exclusion patterns in the Extension Settings.

Proxy Configuration

If your JFrog environment is behind an HTTP/S proxy:

Navigate to Preferences → Settings → Application → Proxy.
Set the proxy URL under Proxy.
Ensure 'Proxy Support' is set to override or on. Alternatively, use the HTTP_PROXY and HTTPS_PROXY environment variables.

Proxy Authorization

If your proxy server requires credentials:

Follow the proxy configuration steps above.
Encode your credentials in Base64 format: [Username]:[Password].

In settings.json, add:

"http.proxyAuthorization": "Basic [Encoded credentials]"

For access token authorization, use:

"http.proxyAuthorization": "Bearer [Access token]"

Downloading External Resources Through Artifactory

If your machine lacks access to https://releases.jfrog.io, configure Artifactory to act as a proxy:

Log in to the JFrog Platform UI as an admin.
Create a Remote Repository with these settings:
- Basic Tab:
  - Package Type: Generic
  - Repository Key: jfrog-releases-repository
  - URL: https://releases.jfrog.io
- Advanced Tab:
  - Uncheck Store Artifacts Locally.
    This reduces storage.
In the JFrog Cursor Extension Settings, enter the repository key you created.
Alternatively, set the JFROG_IDE_RELEASES_REPO environment variable with the repository key.

Xray Policies and Watches

You can configure JFrog Cursor Extension to enforce security policies set in Xray:

Using a JFrog Project

Create a JFrog Project or obtain an existing project key.
Create a Policy in JFrog Xray.
Create a Watch in Xray and assign your policy and project to it.
Configure the project key in Extension Settings.

Using Xray Watches:

Create one or more Watches in Xray.
Configure the Watches in Extension Settings.

Troubleshooting

Adjust the log level to debug, info, warn, or err in the Extension Settings to diagnose issues effectively.

Quick Start

Modes of Operation

The JFrog Cursor Extension offers two modes: Local and CI. You can switch between them using the respective buttons next to the components tree.

Local View

Displays information about the local code as it is being developed in VCursor.
Enables continuous scanning of your workspace.
Shows security vulnerabilities in dependencies and source code before they become part of the final product.
To scan your workspace, click the Scan/Rescan button in the extension tab or select Start Xray Scan from the editor.

CI View

Tracks code as it is built, tested, and scanned by a CI server.
Displays build status and includes a link to the CI server log.
Provides security information about build artifacts and dependencies.
Accessible through the JFrog Panel after switching to CI mode.

Severity Icons

Icon	Severity	Description
	Critical	Issue with critical severity
	High	Issue with high severity
	Medium	Issue with medium severity
	Low	Issue with low severity
	Unknown	Issue with unknown severity
	Not Applicable	CVE issue not applicable to source code

Setting Up Your CI Pipeline

Before the CI View can display data, the CI pipeline must be configured correctly. Follow the guide on how to configure your CI pipeline to expose this data.

Setting Up the CI View

In Extension Settings, set the Build name pattern to match the build name published to Artifactory.
Use * to view all builds published to Artifactory.
After fetching builds from Artifactory, click the Builds button to select which build to display.

How-Tos

Analyze Your Results

Viewing Vulnerabilities

The JFrog extension features a file tree displaying all vulnerabilities detected within the project. Each affected file appears as a tree node.

Descriptor files (e.g., pom.xml in Maven, go.mod in Go) outline available direct dependencies. If a direct dependency contains vulnerable child dependencies, the tree will display those, denoted with an '(indirect)' postfix.
Additional vulnerability nodes, such as Contextual Analysis Vulnerabilities (when applicable), hard-coded secrets, and SAST, may appear in other source files.

Each file node is interactive—click to expand and navigate to the corresponding file in the IDE. The extension highlights vulnerable lines for better visibility.

Locations with vulnerabilities are marked in the editor.
Click the light bulb icon next to a vulnerable line to jump to its entry in the tree view.
Clicking on a CVE entry will open the issue’s location in the editor along with a vulnerability details view that includes impacted components, fixed versions, and impact paths.

CVE Research and Enrichment

For selected security issues, the JFrog Security Research team provides enriched CVE data to help prioritize fixes:

JFrog Severity: JFrog Security’s assessment of the CVE’s likelihood of exploitation.
Research Summary: Detailed conditions explaining CVE applicability.
Remediation Steps: Fix and mitigation options.

Vulnerability Contextual Analysis

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

Xray automatically analyzes high-impact vulnerabilities to determine their real-world applicability. This includes:

Contextual Analysis Status: Indicates if a CVE is applicable to your application.
Breakdown: Explanation of why a CVE is relevant or not.
Remediation Guidance: Contextual mitigation steps for fixing vulnerabilities.

Static Application Security Testing (SAST)

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

JFrog SAST scans detect vulnerabilities such as:

Injection Attacks (SQL, Command, Code, SSRF)
Unsafe API Usage (encryption, cryptographic signing, file operations)

SAST findings help developers track vulnerabilities efficiently:

Data Flow Analysis: Maps the vulnerability’s lifecycle from entry to execution.
Fix Steps: Provides recommended fixes and mitigation strategies.
Risk Assessment: Severity classification to prioritize fixes effectively.

Secrets Detection

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

Detect exposed secrets (e.g., API tokens, credentials) within code to prevent accidental leaks.

To ignore a detected secret, add a comment with jfrog-ignore above the affected line.

Infrastructure as Code (IaC) Scan

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

Scan Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations.

Resolve Issues

Update a vulnerable direct dependency to a fixed version directly from the vulnerable location in the editor using the quick fix feature.