Scanning Commits and Pull Requests
This page covers the core Frogbot commands and concepts that apply regardless of which CI system you use.
Frogbot Commands
| Scan Type | Command | Description |
|---|---|---|
| Pull Request | frogbot scan-pull-request | Scans a pull request by comparing the project state before and after the proposed change. Only new issues introduced by the PR are reported. Results are posted as PR comments (decorations). |
| Commit (Repository Scan) | frogbot scan-repository | Scans the latest commit of a branch for all existing vulnerabilities. When fixable issues are found and auto-fix is enabled, Frogbot opens a pull request with the necessary dependency upgrades. |
Environment Variables
Required Variables
These variables must be set in your CI environment regardless of the CI system:
| Variable | Description | Required |
|---|---|---|
JF_URL | JFrog Platform URL (e.g., https://my-instance.jfrog.io) | Yes |
JF_ACCESS_TOKEN | JFrog Platform access token | Yes (or JF_USER + JF_PASSWORD) |
JF_GIT_TOKEN | Git provider personal access token | Yes |
JF_GIT_API_ENDPOINT | API endpoint for GitHub Enterprise | https://api.github.com |
JF_PROJECT | JFrog project key for Xray policies | Yes, when using Projects in the JFrog platform. |
For the full parameter reference, see Advanced Management and Configuration.
Configuring Centralized Configuration
Instead of configuring Frogbot per-repository with environment variables and YAML files, Frogbot allows you to manage all settings using the JFrog Platform:
- Configure scan settings in Administration > Xray Settings > Indexed Resources > Git Repositories.
Frogbot will fetch its configuration from the platform at scan time.
Platform-managed settings include: which scanners to enable, auto-fix behavior, PR decoration options, and path exclusions. See Advanced Management and Configuration for details.
When both platform configuration and local settings (environment variables or frogbot-config.yml) are present, local settings take precedence.
Scan Behavior
- Frogbot checks out the PR's target branch and scans it.
- Frogbot checks out the PR's source branch and scans it.
- The results are compared — only new issues are reported.
- PR comments are posted with details about each new finding.
Default templates:
| Setting | Default Value |
|---|---|
| Branch name | frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH} |
| Commit message | Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION} |
| PR title | [🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION} |
The branch name template must include ${BRANCH_NAME_HASH} to ensure uniqueness.
Updated 15 days ago