End-to-End Experience
Who Is This Experience For?
This end-to-end journey is designed for multiple roles working together:
- Platform / Security Admins – Define policies, configure enforcement, and ensure organizational compliance.
- Developers – Consume secure packages, fix issues early, and move fast without friction.
- DevSecOps & Platform Engineers – Integrate security into CI/CD pipelines and runtime environments.
Each stage below highlights what happens, why it matters, and who is involved.
The JFrog Security Foundation: One Source of Truth
At the core of JFrog Security is a unified security data model built on the JFrog Platform:
- Artifacts & Packages stored and managed in Artifactory
- JFrog Catalog which identifies, enriches, and classifies open-source packages used across the organization
- Metadata such as vulnerabilities, licenses, and package attributes
- SBOMs (Software Bills of Materials), automatically generated or imported
- Policies that define what is allowed, blocked, or monitored
This foundation ensures that every security decision—whether in development, CI/CD, or production—is based on the same trusted data.
The End-to-End Security Journey
1. Prevent Risk in First-Party Code (Development)
Capability: Source Code
- What happens: Developers scan source code to detect security issues early in the development lifecycle.
- Why it matters: Fixing vulnerabilities in code before it is built or deployed significantly reduces cost and risk.
- Who is involved: Developers, with guardrails defined by security teams.
JFrog Security integrates into developer workflows and CI pipelines, helping teams address issues before they become part of an artifact.
2. Identify and Understand Open-Source Usage
Capability: Catalog
- What happens: Open-source packages used across builds and repositories are identified, enriched, and tracked in a centralized catalog.
- Why it matters: Organizations cannot secure what they do not know they are using.
- Who is involved: Platform and security teams.
JFrog Catalog provides visibility into package usage and enriches packages with security and license context. This shared intelligence is used by downstream security controls to make consistent policy decisions.
3. Control Open-Source Dependencies Before They Enter
Capability: Curation
- What happens: Open-source packages are approved or blocked before they are downloaded, based on security and license policies.
- Why it matters: Most applications rely heavily on third-party dependencies, which are a major source of supply chain risk.
- Who is involved: Security admins define policies; developers automatically consume approved components.
Curation ensures that only trusted, policy-compliant packages are introduced into your builds.
4. Detect Risk in Built Artifacts
Capability: Xray
- What happens: Artifacts and builds are continuously scanned for vulnerabilities, license violations, and malicious content.
- Why it matters: Risk can be introduced at build time through dependency updates or configuration changes.
- Who is involved: DevSecOps teams and security admins.
Xray analyzes binaries in context, providing actionable findings tied directly to artifacts and builds.
5. Enforce Security Policies Across the Pipeline
Capability: Policy Enforcement
-
What happens: Security policies are enforced consistently across multiple control points, including:
- Dependency resolution
- Build promotion
- Artifact download
-
Why it matters: A single policy definition ensures consistent enforcement without duplicating rules.
-
Who is involved: Security admins define policies; enforcement happens automatically.
At this stage, teams can choose how to respond when issues are found:
- Block the action ( Create Policies , Xray, Create Advanced Security Policies)
- Allow with conditions (for example, using Curation waivers)
- Automatically select a compliant version (Curation)
6. Understand What You Are Shipping (SBOM)
Capability: SBOM
- What happens: SBOMs are generated, enriched, and associated with artifacts.
- Why it matters: SBOMs provide transparency for compliance, audits, and downstream consumers.
- Who is involved: Security, compliance, and legal teams.
JFrog SBOMs are continuously enriched with vulnerability and license data, ensuring they remain accurate over time.
7. Deep Security Analysis Before Deployment
Capability: Advanced Security
- What happens: Additional scans detect exposed secrets, insecure infrastructure-as-code (IaC), and prioritize vulnerabilities using contextual analysis.
- Why it matters: Not all vulnerabilities pose the same risk. Context helps teams focus on what truly matters.
- Who is involved: Security and DevSecOps teams.
Advanced Security provides deeper insight beyond traditional CVE scanning.
8. Monitor and Protect Applications at Runtime
Capability: Runtime
- What happens: Running applications are monitored for suspicious behavior and exploitation attempts.
- Why it matters: Some risks only emerge in production environments.
- Who is involved: Security and operations teams.
Runtime Security extends protection beyond build and deployment into live environments.
9. Close the Loop: Learn and Improve
Capability: Continuous Feedback
- What happens: Insights from scans and runtime monitoring feed back into policies and development practices.
- Why it matters: Security improves continuously as teams learn from real-world usage.
- Who is involved: All roles.
This feedback loop ensures JFrog Security is not a one-time setup, but an evolving system that adapts to new risks.
Map Your Security Goals to JFrog Capabilities
The table below maps common software supply chain security goals to the JFrog Security capabilities and products that address them. Use it to identify the area most relevant to you, then continue with the recommended next step.
| Security Goal | Capability | JFrog Product |
|---|---|---|
| Prevent risky code | Source code scanning | IDE extensions, Frogbot |
| Prevent risky dependencies | Dependency control | Curation |
| Detect risk in artifacts | Binary & SBOM scanning | Xray |
| Enforce policies | Build & download enforcement | Create Policies Policies in JFrog Xray Create Advanced Security Policies |
| Respond in production | Runtime visibility | Runtime |
Recommended Next Steps
Choose the path that best matches your immediate security goal:
Prevent risky dependencies from entering your environment
Start with the JFrog Curation onboarding guide to define policies that control which open-source packages developers can use and prevent risky dependencies from being introduced.
→ Go to: Curation Workshop
Detect vulnerabilities and license issues in builds and artifacts
Continue with the JFrog Xray onboarding guide to scan artifacts and builds, generate and enrich SBOMs, and manage security findings across your CI/CD pipeline.
→ Go to: Xray Workshop
Learn the core security concepts before configuring
Dive into Products & Concepts to understand foundational topics such as policies, enforcement points, and SBOMs before getting hands-on.
→ Go to: Products/Concepts
Get familiar with JFrog Security terminology
If you’re new to JFrog Security or want quick clarification on terms used throughout the documentation, review the Glossary for concise definitions of key concepts and capabilities.
→ Go to: Glossary
Availability note
JFrog Security capabilities and products are available based on your JFrog subscription and security bundle. To see which capabilities are included in your plan, refer to the JFrog Pricing page or contact your JFrog representative
Updated 3 months ago