This glossary defines common terms used across JFrog Security products and documentation. Use it as a reference when exploring security concepts, features, and workflows across the JFrog Platform.

A

Advanced Security

A set of enhanced security capabilities that extend beyond traditional vulnerability scanning to provide deeper risk analysis and prioritization, such as secrets detection, infrastructure-as-code scanning, and contextual vulnerability analysis.

Artifact

A binary output produced by a build process, such as a package, container image, or archive, that is stored and managed in Artifactory. Artifacts are scanned by JFrog Security to identify security, license, and operational risks.

Aggregated SBOM

An SBOM that combines component information from multiple artifacts or builds.

B

Build

A logical representation of a CI/CD process that produces one or more artifacts. Builds provide context for understanding security, license, and operational risk across all included components.

Build Stability

An indication of how reliable and reproducible a build is over time based on its dependencies and configuration.

C

Catalog

A centralized view of packages and components used across an organization, enabling visibility, governance, and policy-based control.

Component

An individual software unit within an artifact or package, such as a dependency or library version, that is evaluated during security and license analysis.

Compliant Version

A package version that satisfies defined security and license policies.

Contextual CVE Analysis

The prioritization of vulnerabilities based on contextual factors such as reachability, exploitability, and actual usage within an application.

Custom Software License

A user-defined license that represents proprietary or non-standard license terms not included in common license databases.

CVE (Common Vulnerabilities and Exposures)

A publicly disclosed security vulnerability assigned a unique identifier.

D

Dependency

A third-party package or library that an application relies on.

Direct Dependency

A dependency explicitly declared by an application.

Transitive Dependency

A dependency introduced indirectly through another dependency.

E

Enforcement

The process of applying policies at defined control points to prevent or manage risk.

Enforcement Action

The outcome applied when a policy violation occurs, such as blocking a download, failing a build, or generating a notification.

Enforcement Point

A stage in the software lifecycle where policies are evaluated, such as dependency resolution, build promotion, artifact download, or runtime execution.

Exploitation Attempt

An attempt to take advantage of a vulnerability or weakness in a running application.

F

False Positive

A reported security issue that is determined not to pose an actual risk.

Fix Recommendation

Guidance provided to help developers remediate identified security issues.

I

Indexing

The process of extracting and storing metadata from artifacts, packages, or SBOMs so they can be efficiently scanned and analyzed for risk.

Ignore Rule

A rule that suppresses specific policy violations for a defined scope, allowing known or accepted risks to be managed without blocking workflows.

Infrastructure as Code (IaC)

Configuration files used to define and provision infrastructure, such as Terraform or Kubernetes manifests.

J

JFrog Security Research

JFrog’s internal research effort that continuously analyzes open-source ecosystems to identify vulnerabilities, malicious activity, and emerging supply chain threats.

L

Label

A metadata tag assigned to packages or components to classify them for governance, policy enforcement, or visibility purposes.

Public Label

A predefined label provided by JFrog to classify packages based on curated criteria.

Private Label

A user-defined label created by an organization to support custom governance or policy workflows.

License

A set of legal terms that define how a software component can be used, modified, and distributed.

License Attribution Report

A report that lists license information for components included in an artifact or build, typically required for compliance and redistribution.

License Conclusion

The effective license determined for a component based on its contents and dependencies.

License Violation

An event triggered when a component or artifact does not comply with defined license policies.

M

Malicious Package

A package that contains intentionally harmful code or behavior, such as credential exfiltration, cryptomining, or backdoors.

Malicious Package Detection

A capability that identifies malicious packages based on behavioral analysis and ecosystem signals, beyond known vulnerabilities.

Malicious AI Model

An AI or machine learning model that contains unsafe behavior, hidden backdoors, or other malicious characteristics.

Misconfiguration

An insecure or incorrect configuration that could lead to vulnerabilities or operational issues.

O

Operational Risk

Risk that affects the reliability, maintainability, or long-term viability of software components, beyond vulnerabilities and licenses.

Outdated Dependency

A dependency that is significantly behind the latest available or recommended version.

On-Demand Scan

A scan that is manually triggered by a user rather than automatically initiated by an event or workflow.

P

Package

A distributable unit of software published to a package ecosystem, such as NPM, PyPI, Maven, or Docker.

Pending Catalog

A temporary state where a package has been detected but not yet fully processed or available for governance actions.

Policy

A set of rules that define acceptable security, license, or operational conditions.

Policy Condition

A specific rule within a policy that evaluates a characteristic such as a vulnerability, license type, or operational risk indicator.

Policy Scope

The set of resources—such as repositories, builds, packages, or projects—to which a policy applies.

Policy Violation

An event triggered when a policy condition is not met.

R

Reachability Analysis

An assessment of whether vulnerable code paths are actually reachable and exploitable within an application.

Repository

A storage location in Artifactory used to host and manage artifacts and packages.

Runtime Security

Security capabilities that monitor running applications to detect suspicious behavior and exploitation attempts in production environments.

Runtime Alert

A notification generated in response to suspicious or policy-violating runtime behavior.

S

Scan

The process of evaluating artifacts, builds, source code, packages, or SBOMs to identify security, license, or operational risks.

Scan Scope

The set of resources included in a scan, such as a specific artifact, build, repository, project, or SBOM.

Scan Type

The category of scan being performed, such as SCA, SAST, secrets detection, and IaC scan.

Scan Status

The current state of a scan, such as pending, running, completed, or failed.

Scan Result

The output of a scan, including detected vulnerabilities, license issues, malicious indicators, and policy violations.

SBOM (Software Bill of Materials)

A structured inventory of software components and dependencies that make up an artifact or application.

SBOM Enrichment

The process of augmenting an SBOM with additional data such as vulnerabilities, licenses, and risk metadata.

SBOM Import

The process of uploading an externally generated SBOM into the JFrog Platform for analysis and enrichment.

SBOM Export

The process of generating and downloading an SBOM from the JFrog Platform.

SCA (Software Composition Analysis)

The analysis of third-party components to identify security, license, and operational risks.

Secrets Detection

The identification of exposed credentials, tokens, or sensitive information embedded in code or configuration files.

Source Code Security

Security analysis performed on first-party source code to identify vulnerabilities early in the development lifecycle.

Static Application Security Testing (SAST)

A method of analyzing source code to detect security vulnerabilities without executing the application.

V

Violation

A detected instance where a policy condition is not met.

W

Waiver

A temporary or scoped exception that allows a policy violation to be accepted under defined conditions without changing the policy itself.

Waiver Request

A request submitted to approve an exception for a specific policy violation.

Watch

A mechanism in JFrog Xray that scopes policies to specific repositories, artifacts, or builds.

X

Xray

JFrog’s security analysis engine that scans artifacts, builds, and dependencies for security, license, and operational risks.