Try JFrog
Guides
Contact SupportTry JFrog
  1. source-code
  2. Frogbot V3
  3. Scanning Commits and Pull Requests

GitHub

Frogbot integrates with GitHub through GitHub Actions. There are two setup methods:

  • JFrog GitHub App for automatic configuration (recommended)
  • manual configuration for full control

JFrog GitHub App (Recommended)

The JFrog GitHub App provides the simplest setup by automatically creating the Frogbot workflow in your repositories. Once connected, Frogbot runs automatically on pull requests and on a schedule for commit scans.

  1. Navigate to Administration > Xray Settings > Indexed Resources > Git Repositories.
  2. Click Connect and follow the prompts to install the JFrog GitHub App on your GitHub organization.
  3. Select which repositories Frogbot should scan.
    The app automatically creates a GitHub Actions workflow file in each selected repository.
  4. Configure scan settings directly from the JFrog Platform UI:
    • Scans Configuration: Configure which scanners to enable in the JFrog Platform UI
    • Auto-Fix: Set auto-fix preferences (enable/disable, group fixes, templates)
    • PR Decorations: Set PR decoration preferences (show all findings, skip empty comments)
      Results appear in Xray > Scans List > Git Repositories

Manual Configuration

Step 1: Set Repository Secrets

In your GitHub repository, go to Settings > Secrets and variables > Actions and add:

SecretValue
JF_URLYour JFrog Platform URL
JF_ACCESS_TOKENJFrog Platform access token
JF_GIT_TOKENGitHub personal access token with repo scope

Step 2: Allow Frogbot to Create Pull Requests

Go to Settings > Actions > General and under Workflow permissions, select Read and write permissions and enable Allow GitHub Actions to create and approve pull requests.

Step 3: Create the Workflow File

Create .github/workflows/frogbot.yml in your repository:

name: "Frogbot Security Scan"

on:
  pull_request_target:
    types: [opened, synchronize]
  push:
    branches:
      - master
  workflow_dispatch:

permissions:
  pull-requests: write
  contents: write
  security-events: write

jobs:
  pr-security-scan:
    if: github.event_name == 'pull_request_target'
    runs-on: devf-dind-amd-scale-set # ubuntu-latest
    env:
      JF_GIT_API_ENDPOINT: 'https://github.jfrog.info/api/v3' # for github SH only
      JF_GIT_PULL_REQUEST_ID: ${{ github.event.pull_request.number }}
      JF_GIT_BASE_BRANCH: ${{ github.event.pull_request.base.ref }}
      JF_URL: ${{ secrets.JF_URL }}
      JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
      JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      JF_GIT_REPO: ${{ github.event.repository.name }}
      JF_GIT_OWNER: ${{ github.repository_owner }}
      JF_GIT_PROVIDER: 'github'
      JFROG_CLI_LOG_LEVEL: "DEBUG"
      CI: "TRUE"
    steps:
      - name: Download Frogbot V3
        run: |
          curl -fSL \
            -o frogbot \
            "https://releases.jfrog.io/artifactory/frogbot/v3/3.0.0/frogbot-linux-amd64/frogbot"
          chmod +x frogbot
          ./frogbot scan-pull-request

  repository-scan:
    if: github.event_name == 'push' || github.event_name == 'workflow_dispatch'
    runs-on: devf-dind-amd-scale-set # ubuntu-latest
    env:
      JF_GIT_API_ENDPOINT: 'https://github.jfrog.info/api/v3' # for github SH only
      JF_GIT_BASE_BRANCH: ${{ github.ref_name }}
      JF_URL: ${{ secrets.JF_URL }}
      JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
      JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
      JF_GIT_PROVIDER: 'github'
      JF_GIT_OWNER: ${{ github.repository_owner }}
      JF_GIT_REPO: ${{ github.event.repository.name }}
      JFROG_CLI_LOG_LEVEL: "DEBUG"
      CI: "TRUE"
    steps:
      - name: Checkout repository
        uses: actions/checkout@v4
        with:
          ref: master

      - name: Download and run Frogbot V3
        run: |
          curl -fSL \
            -o frogbot \
            "https://releases.jfrog.io/artifactory/frogbot/v3/3.0.0/frogbot-linux-amd64/frogbot"
          chmod +x frogbot
          ./frogbot scan-repository

OpenID Connect (OIDC) Authentication

Instead of storing a JF_ACCESS_TOKEN secret, you can use OIDC for tokenless authentication:

  1. In the JFrog Platform, go to Administration > Security > Settings > OpenID Connect.
  2. Add a new provider with your GitHub Actions OIDC issuer.
  3. Create an Identity Mapping that maps GitHub claims to JFrog permissions.
  4. Update the workflow:
permissions:
  id-token: write
  contents: write
  pull-requests: write
  security-events: write

steps:
  - uses: jfrog/frogbot@v3
    env:
      JF_URL: ${{ secrets.JF_URL }}
      JF_GIT_TOKEN: ${{ secrets.JF_GIT_TOKEN }}
      JF_OIDC_PROVIDER_NAME: "github-frogbot"
      FROGBOT_CMD: "scan-pull-request"

Execution Environment (Open Source Repositories)

For open source repositories where secrets are not available to PRs from forks, create a GitHub Environment named frogbot with no protection rules. Then add to the workflow:

jobs:
  pr-scan:
    environment: frogbot
    runs-on: ubuntu-latest

Updated 30 days ago