GitHub

Scan Results in GitHub Security

Frogbot performs both full repository scans and pull request (PR) scans to detect security issues. Results are posted directly to the GitHub Security dashboard, allowing developers to stay within their native GitHub workflow.

Before You Begin

It is essential that you enable GitHub code scanning for the repositories you wish to scan.
Full repository scans automatically appear in GitHub Security.
PR scans must be manually enabled.

Procedure

(Optional) Enable PR security results by setting the following environment variable to true:
```
JF_UPLOAD_PR_SECURITY_RESULTS_TO_VCS=true
```
In GitHub, go to the repository scanned by Frogbot and click the Security tab.
In the left pane, select Code scanning alerts.
Full repository scan results appear under the scanned branch and are filtered by branch:<branch-name>.
PR scan results appear under the scanned PR and are filtered by pr:<pr-number>.
(Optional) Use the filter Tool to narrow down results.
The Frogbot tools to filter with are:

JFrog SAST
JFrog Secrets scanner
JFrog Terraform scanner
JFrog Xray scanner

Click an issue to view its details.

SBOM in GitHub Dependency Graph

Frogbot generates an SBOM for each scanned repository and publishes it to the repository’s Dependency graph in GitHub. This lets developers review direct and transitive dependencies within their native GitHub workflow.

It is essential that you

Before You Begin

Requires JFrog Advanced Security license
Enable GitHub Dependency Graph for the repositories you wish to publish SBOMs to
To disable automatic SBOM results from being uploaded to GitHub, set the JF_UPLOAD_SBOM_TO_VCS parameter to false

Procedure

In GitHub, open the repository scanned by Frogbot and click Insights.
In the left pane, select Dependency graph.
Open the SBOM view (if available) to see the latest SBOM uploaded by Frogbot, or review the dependency list populated from the SBOM.
Click a dependency to view details such as version, relationships, and metadata.

Updated about 14 hours ago