Features and Capabilities
Software Composition Analysis (SCA)
Xray’s Software Composition Analysis (SCA) capabilities analyze third-party components to identify and manage different types of risk throughout the SDLC.
Security Risk
Identifies vulnerabilities, malicious behavior, and emerging threats in open-source packages and dependencies.
Capabilities include:
- JFrog Security Research – Continuously updated threat intelligence that identifies known and emerging supply chain threats.
- Malicious Package Detection – Detects packages that exhibit suspicious or harmful behavior beyond known CVEs.
- Detect Malicious AI Models – Identifies potentially harmful AI and machine learning models sourced from external repositories.
- Vulnerability Detection (CVEs) – Identifies known vulnerabilities across supported ecosystems.
→ Learn more:
Legal Risk
Analyzes open-source licenses to help organizations meet legal, compliance, and distribution requirements.
Capabilities include:
- Custom Software Licenses – Define and manage custom or proprietary licenses.
- License Conclusion – Determine the effective license of a component based on its contents.
- License Attribution Report – Generate attribution reports for compliance and redistribution.
→ Learn more:
Operational Risk
Helps you identify non-security risks that can impact reliability, maintainability, and long-term support—such as end-of-life (EOL), deprecated, or unmaintained dependencies.
Capabilities include:
- Operational Risk Analysis – Detect operational risks in repositories, builds, and release bundles based on package health and lifecycle signals. JFrog
- EOL and Deprecation Detection – Flag components that reached end-of-life or are marked as deprecated. JFrog
- Maintenance and Community Health Indicators – Identify components that haven’t been updated in a long time or show low maintainer activity. JFrog
- High-Impact Updates Awareness – Highlight major version changes that may introduce breaking changes or compatibility risks. JFrog
- Operational Risk Policies and Violations – Create an operational risk policy, attach it to a watch, and review operational risk data and violations in the scan results workflow
→ Learn more:
SBOM and Supply Chain Visibility
Provides insight into the components that make up your software and how risk propagates across artifacts and builds.
Capabilities include:
- SBOM Generation and Analysis
- SBOM Export and Sharing
- Component and Dependency Relationships
→ Learn more:
Policies, Watches, and Enforcement
Enable governance and automated response to detected risks across the platform.
Capabilities include:
- Policies in JFrog Xray – Define rules for security, legal, and operational risk.
- Watches – Scope policies to specific repositories, builds, or artifacts.
- Violations Handling and Notifications – Track, notify, and respond to policy violations.
- Ignoring Violations (Ignore Rules) – Manage known or accepted risks.
→ Learn more:
Violations Handling and Notifications
Ignoring Violations in JFrog Xray: Understanding Ignore Rules
Reporting and Analysis
Provides multiple ways to analyze, consume, and export Xray scan results.
Capabilities include:
- Xray Reports
- Understanding and Analyzing Xray Scan Results
- Exporting Scan Results
→ Learn more:
Updated 2 months ago