Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. xray
  2. Observability and Search

Impact Search

Impact Search is a capability in JFrog Xray that enables security and DevOps teams to quickly identify which artifacts in their organization are affected by specific vulnerabilities or contain particular software packages.

By allowing targeted searches across scanned artifacts, Impact Search helps teams understand the blast radius of vulnerabilities and risky dependencies across their software supply chain. This enables faster triage, accurate risk assessment, and more effective remediation prioritization.

📘

Important
This capability depends on the SBOM Service.
Self-Managed users must enable the SBOM feature and complete the SBOM migration.
If SBOM is disabled, the API returns 403 – “SBOM is disabled”.

Why Use Impact Search

In large-scale environments, artifacts are distributed across numerous repositories and ecosystems. When a new zero-day vulnerability or risky dependency is disclosed, manually locating every instance of that component is time-consuming.

Impact Search allows you to:

  • Trace Vulnerabilities: Locate all artifacts affected by a specific Vulnerability ID (e.g., CVE).
  • Inventory Packages: Find artifacts containing a specific package, ecosystem, or version.
  • Audit Exposure: View exactly where components are stored and verify the last scan timestamp.
  • Accelerate Response: Generate reliable, scan-based data for stakeholders and auditors.

Supported Search Criteria

Impact Search supports structured searches based on vulnerability and package metadata, including:

  • Vulnerability ID (for example, CVE identifiers)
  • Package Name
  • Package Type (ecosystem such as npm, Maven, PyPI)
  • Package Version

Multiple criteria can be combined to refine results and improve accuracy.

Search Results

Impact Search returns a list of affected resources, including:

  • Resource name with a direct link to the scanned artifact
  • Repository location
  • Component and package details
  • Artifact path
  • Last Xray scan date

This information helps teams quickly determine exposure and remediation priorities.

Scope and Coverage

Impact Search is limited to artifacts that have been indexed and scanned by Xray.

This means:

  • Only repositories with Xray indexing enabled are included
  • Results reflect the most recent Xray scan
  • Unscanned or unindexed artifacts do not appear in results

To ensure comprehensive coverage, verify that critical repositories are indexed and monitored by Xray.

API Support

Impact Search is powered by the Impacted Resources REST API:

Updated about 1 month ago