Try JFrog
Guides
Contact SupportTry JFrog
  1. source-code
  2. Frogbot V3
  3. How To Consume Results

Github Advnaced Security

Frogbot integrates with GitHub's security features to surface scan results directly in the GitHub UI.

PR Decorations

When Frogbot runs a PR scan, it posts comments directly on the pull request with details about new security issues introduced by the change. Each comment includes:

  • The CVE or finding identifier
  • Severity level
  • Affected component and version
  • Fix version (if available)
  • Contextual analysis status (applicable, not applicable, etc.)

Configuring PR Decorations

With centralized configuration, PR decoration behavior is managed from the JFrog Platform:

  • Show all security finding types — When enabled, PR comments include both vulnerabilities and policy violations. When disabled (default), only new vulnerabilities are shown.
  • Skip comments on pull requests with no security issues — When enabled, Frogbot does not post a comment on clean PRs. This reduces noise for teams with many pull requests.

These settings can be configured in the Platform UI under the PR Decorations tab, or via the frogbot-config.yml file.

GitHub Security Tab (Code Scanning Alerts)

Frogbot uploads results to GitHub's Code Scanning feature using SARIF format. Results appear in the Security > Code scanning alerts tab of your repository.

Viewing Results

  1. In your GitHub repository, go to the Security tab.
  2. Click Code scanning alerts.
  3. Use the Tool filter to view results from specific scanners:
    • JFrog Xray scanner — SCA findings (vulnerabilities in dependencies)
    • JFrog SAST — Static analysis findings in first-party code
    • JFrog Secrets scanner — Detected secrets and credentials
    • JFrog Terraform scanner — IaC misconfiguration findings

Full Repo Scan vs PR Scan Results

  • Full repository scan (commit scan) results are automatically uploaded to Code Scanning and appear as alerts.
  • PR scan results appear as Code Scanning alerts only if the results are uploaded. This happens automatically for full scans but not for PR scans by default.

GitHub Dependency Graph (SBOM)

Frogbot can publish SBOMs to GitHub's Dependency Graph, providing visibility into your project's components directly in GitHub.

Viewing the SBOM

  1. In your GitHub repository, go to Insights > Dependency Graph.
  2. The graph shows all components detected by Frogbot's SCA scan.

Requirements

  • JFrog Advanced Security license
  • GitHub Dependency Graph must be enabled for the repository
  • JF_UPLOAD_SBOM_TO_VCS must be true (default)

SBOM upload occurs during commit scans (repository scans), not PR scans.

Updated about 1 month ago