Frogbot V3

JFrog Frogbot is a Git-based bot that shifts security left by detecting and fixing vulnerabilities in your pull requests and commits. It leverages Software Composition Analysis (SCA), Static Application Security Testing (SAST), Infrastructure as Code (IaC) scanning, and secrets detection to catch risks before they reach production.

Frogbot V3: What's New

JFrog Frogbot V3 introduces centralized configuration management, a cleaner API, and enhanced scanning capabilities—powered by a new Static SCA Engine. This shift to static analysis improves reliability, simplifies setup, and expands visibility across your software supply chain.

If you are upgrading from V2, here are the key changes:

• Static, Build-Independent Scanning: Scans are performed without executing package managers or requiring a build environment, ensuring consistent results even when builds fail.
• Zero-Configuration Project Detection: Automatically detects project structures, including nested and multi-package repositories, with no manual setup required.
• Enhanced Platform Visibility: Scan results are uploaded as CycloneDX (CDX) SBOMs to the JFrog Platform, enabling features such as transitive SBOM tree views and improved remediation insights.
• Unified Scanning Experience: All Git repository scan results are consolidated into the Artifactory Scans List, providing a single view across source code and binaries.

Centralized Configuration via JFrog Platform

The biggest change in V3 is that Frogbot can now be configured entirely from the JFrog Platform UI instead of relying solely on per-repo frogbot-config.yml files and environment variables. Configuration is managed through Config Profiles that follow your SCM hierarchy:

• Server-level configurations apply to all folders and repositories on the server.
• Folder-level configurations override server settings and apply to all sub-folders and repositories within.
• Repository-level configurations override folder and server settings and apply only to that repository.

Settings are inherited downward automatically, so newly added repositories and folders pick up the parent configuration without manual setup. Each entity shows its configuration status: Default (system defaults), Custom (directly configured), or Inherited (using a parent's configuration).

New Scanning Capabilities

• Snippet Detection (SCA) — Detects code snippets copied from open-source projects, even when not installed as a dependency. Available at the repository level.
• Dynamic Token Validation (Secrets) — Validates detected secrets against live services to confirm whether they are active and exploitable.
• Custom Secrets Scanning — Scan for organization-specific secret patterns beyond the built-in rules.
• SAST Rule Exclusions — Exclude specific SAST rules from scans to reduce noise for known false positives.

Before You Begin

• Ensure your environment has: Git, curl, Unzip, and glibc-2.33+
• Frogbot does not require any special permissions beyond standard repository access

Documentation Structure

• How to Commit Scan and PR Scan — Set up and run scans across CI systems
• How to Consume Results — View and act on scan findings
• Advanced Management and Configuration — Centralized config, frogbot-config.yml, and all parameters