Try JFrog
Guides
Contact SupportTry JFrog
  1. Get Started
  2. Products/Concepts
  3. Runtime

Features and Capabilities

Core Capabilities

Visibility

  • Real-Time Monitoring: Provides live status updates on images and workloads detected in monitored clusters.

  • Enhanced Visibility (Runtime Impact only): Provides process-level visibility into running workloads by identifying the actual OS executables and application processes executing inside containers. This enables Runtime-Validated Vulnerability detection—showing not just what vulnerabilities exist in an image, but whether the vulnerable code is actively loaded and running. By focusing on live processes, Runtime Impact reduces noise, highlights real risks, and enables full traceability from a running process back to the originating build and developer.

    Examples include:

    • Shell processes (e.g., bash, sh) – Detects interactive shells running in containers, which may indicate manual intervention or potential compromise.
    • System utilities (e.g., mv, curl) – Monitors file movement and outbound network activity that could indicate data exfiltration, lateral movement, or persistence attempts.
    • Application runtimes (e.g., java, go) – Confirms whether application processes are live, allowing correlation with Xray findings to determine if specific CVEs are truly exploitable at runtime.

Trust Assessment

  • Trusted Registry Verification: Confirms whether an image originates from a trusted registry. Images pulled from unverified or unknown registries are flagged as untrusted.
  • Integrity Violation Detection and Explainability: Identifies discrepancies between running container images and their source artifacts in Artifactory. When a violation is detected, Runtime provides a detailed explainability view with the violation type, severity, forensic evidence, the exact location in your infrastructure, and actionable remediation steps.

Integrity Violation Explainability

Runtime detects three types of integrity violations, each with a different severity level reflecting the risk to your environment:

Violation TypeSeverityDescription
Digest MismatchCriticalThe running image digest does not match the digest stored in Artifactory. This indicates potential image tampering, a man-in-the-middle attack, or a mis-deployment event.
Missing SourceHighThe image is running in your cluster but the source artifact could not be found in the Artifactory registry. This may indicate a deleted artifact or an unauthorized image sideloaded into the cluster.
Post-Deployment Tag UpdateMediumThe source image tag was updated in Artifactory after this running instance was deployed. This indicates mutable image tags (e.g., latest) where the running code differs from the code currently stored under the same tag.

For each violation, the explainability view presents three sections:

  • Evidence ("What was found?") — Forensic details specific to the violation type, such as digest comparisons, deployment-to-update timelines, or missing artifact status.
  • Location ("Where is the violation?") — The exact infrastructure context: when it was first detected, and in which cluster, namespace, workload, and node.
  • Recommendations ("What steps are recommended?") — Actionable remediation guidance tailored to the violation type.

Prioritization

  • Cross-Correlation Insights: Integrates with JFrog Xray and Advanced Security to assess the severity and relevance of detected images and potentially malicious packages.
  • Blast Radius Analysis: Evaluates the number of workloads using specific images and their locations across clusters, helping to gauge the impact of vulnerabilities.
  • Vulnerability Prioritization (Runtime Impact only):
    • Determines if vulnerable code is actively loaded into memory, focusing on real threats.
    • Helps prioritize remediation efforts by identifying vulnerabilities currently in use.

Vulnerability Prioritization Dashboard

The Vulnerability Prioritization Dashboard provides a centralized view of all CVEs detected across running container images, combining static scan data from JFrog Xray and Advanced Security with runtime intelligence from deployed sensors. It enables security teams to cut through vulnerability noise and focus on the issues that pose real risk to production.

The dashboard includes:

  • Prioritization Funnel — A multi-stage funnel that progressively narrows vulnerabilities from all detected CVEs down to those that are Critical/High severity, confirmed applicable by Contextual Analysis, have a fix version available, and are validated as actively running in production. Stages are cumulative, so each layer builds on the previous one.
  • Vulnerability Table — A detailed, searchable, and filterable table of individual CVEs with severity, CVSS scores, JFrog Research severity, contextual analysis status, fix availability, runtime validation status, affected components, and related images.
  • Blast Radius View — For any CVE, drill down to see all running container images affected, helping gauge impact across clusters and workloads.
  • Running Images Trend Chart — A 30-day time-series tracking running image counts, scan coverage, and vulnerability severity breakdowns over time.
  • Live Assessment Highlights — At-a-glance risk indicators for malicious packages, critical & applicable CVEs, and integrity violations across the environment.

Traceability

Enhances traceability by identifying image owners and enabling rapid risk mitigation by locating the build owner and deployer.

Real-Time Alerting

Automates security policy enforcement, allowing organizations to apply predefined security rules.

Access Control

JFrog Runtime Security uses a Role-Based Access Control (RBAC) model that limits access to runtime-detected Docker images based on project-level permissions. Runtime Security monitors container environments and reports both trusted and untrusted images, and RBAC ensures that users see only the images associated with the projects they belong to. Admins have full visibility across all runtime data, while project-scoped users view only the images relevant to their assigned projects, reducing unnecessary exposure of sensitive information and keeping visibility aligned with each user’s responsibilities.

Visibility of JFrog Platform Projects

Every Docker image monitored by Runtime Security is associated with one or more JFrog Projects, based on repository assignment or admin configuration.
When users access Runtime Security (UI or API), the system automatically filters the image list according to the projects they belong to and the roles assigned within those projects.

  • Project Members see only the images associated with their assigned project(s).
  • Project Admins manage which members can access their project’s runtime assets.
  • Platform Admins can configure all projects and assign roles globally.

Updated about 1 month ago