Frogbot Optional Configuration Parameters
This page lists the optional configuration parameters for Frogbot that users can reference to customize their scans and fix actions. Each parameter is described along with its default value (if applicable) and usage guidance and can be set as an environment variable before executing Frogbot.
| Parameter Name | Description | Default Value | Repo Scan | PR Scan |
|---|---|---|---|---|
JF_GIT_API_ENDPOINT | API endpoint for GitHub Self-Hosted environment | https://api.github.com | ✔️ | ✔️ |
JF_RELEASES_REPO | Engines and Resources location. See Working in Air-Gapped Environments. | https://releases.jfrog.io | ✔️ | ✔️ |
JF_PATH_EXCLUSIONS | List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository. | *git*;*node_modules*;*target*;*venv*;*test* | ✔️ | ✔️ |
JF_WATCHES | Set Frogbot to use Xray Watches. <watch-1>,<watch-2>...<watch-n> | “” | ✔️ | ✔️ |
JF_PROJECT | JFrog project. <project-key>. When set, JF_PROJECT makes Frogbot show only policy violations tied to that project instead of all vulnerabilities — so scans appear empty unless the project has active policies. | “” | ✔️ | ✔️ |
JF_FAIL | Fails the Frogbot task if any security issue is found. | true | ✔️ | |
JF_DEPS_REPO | Artifactory virtual repository for downloading dependencies if not cached locally. | “” | ✔️ | ✔️ |
JF_BRANCH_NAME_TEMPLATE | Template for generated branch names; must include {BRANCH_NAME_HASH} for uniqueness. | "frogbot-{IMPACTED_PACKAGE}-{BRANCH_NAME_HASH}" | ✔️ | |
JF_COMMIT_MESSAGE_TEMPLATE | Template for commit messages; can include {IMPACTED_PACKAGE} and {FIX_VERSION}. | "Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" | ✔️ | |
JF_PULL_REQUEST_TITLE_TEMPLATE | Template for pull request titles; can include {IMPACTED_PACKAGE} and {FIX_VERSION}. | "[🐸 Frogbot] Upgrade {IMPACTED_PACKAGE} to {FIX_VERSION}" | ✔️ | |
JF_GIT_AGGREGATE_FIXES | If true, groups all fixes in a single PR; false creates separate PRs. | false | ✔️ | |
JF_FIXABLE_ONLY | If true, addresses only vulnerabilities with available fixes. | true | ✔️ | |
JF_MIN_SEVERITY | Minimum severity level (Low, Medium, High, or Critical) for vulnerabilities to fix/comment. | “” | ✔️ | ✔️ |
JF_GIT_EMAIL_AUTHOR | Author email for commit messages. | "[email protected]" | ✔️ | |
JF_ALLOWED_LICENSES | Comma-separated list of allowed licenses. | “” | ✔️ | ✔️ |
JF_AVOID_EXTRA_MESSAGES | If true, excludes additional info from PR comments, showing only scan findings. | true | ✔️ | |
JF_PR_COMMENT_TITLE | Custom title for PR comments generated by Frogbot. | ✔️ | ||
JF_SMTP_SERVER | JAS Secret Finding Report. SMTP server URL with port for sending emails with detected secrets in pull request scans. | ✔️ | ||
JF_SMTP_USER | Username for authenticating with the SMTP server (mandatory if JF_SMTP_SERVER is set). | ✔️ | ||
JF_SMTP_PASSWORD | Password for authenticating with the SMTP server (mandatory if JF_SMTP_SERVER is set). | ✔️ | ||
JF_EMAIL_RECEIVERS | Comma-separated list of email addresses for notifications about detected secrets in PRs. | “” | ✔️ | |
JF_INSTALL_DEPS_CMD | Command for installing project dependencies (e.g., "nuget restore"). Required if the project uses Yarn 2, NuGet, or .NET and install command isn’t set in frogbot-config.yml. | ✔️ | ✔️ | |
JF_INCLUDE_ALL_VULNERABILITIES | If set to "true", displays all vulnerabilities, including those present before the pull request. | "false" | ✔️ | |
JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION | If set to "true", retains old comments on pull requests from previous scans when adding new comments. | "false" | ✔️ | ✔️ |
JF_REQUIREMENTS_FILE | Relative path to a Pip requirements.txt file. If not set, dependencies are determined using the setup.py file. | "true" | ✔️ | ✔️ |
JF_USE_WRAPPER | Use Gradle wrapper for builds. | "true" | ✔️ | ✔️ |
JF_UPLOAD_SBOM_TO_VCS | Publish SBOM dependencies to GitHub Insights Dependency Graph. The Dependency Graph must be enabled for the GitHub repository. | "true" | ✔️ | |
JF_SKIP_AUTOFIX | Prevents Frogbot from creating autofix PRs. | "false" | ✔️ | |
JF_ALLOW_PARTIAL_RESULTS | Ensures that Frogbot doesn't fail entirely if at least one scanner completes successfully. Partial results are displayed so you can view detected issues, though additional vulnerabilities might remain undiscovered. | "false" | ✔️ | |
JF_USE_CONFIG_PROFILE=True | Set to true for Git repository configuration using the platform | "false" | ✔️ | ✔️ |
ENABLE_CUSTOM_SECRETS_SCANNER | Define search patterns to detect sensitive information in your artifacts and source code, scanning both binary and text files. Read more about Custom Secrets Scanner | "true" | ✔️ | ✔️ |
JF_PR_SHOW_SECRETS_COMMENTS | When set to false, Secrets will not be displayed in the pull request decorator, and the Frogbot action will not fail. The scan results will still be available in the JFrog Platform under Scans List. | "false" | ✔️ |
Updated about 2 months ago