Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. source-code
  2. Developers
  3. IDEs

JetBrains

The JFrog Plugin enables developers to identify and resolve security vulnerabilities in their projects. By continuously scanning locally with JFrog Security, developers gain insights into their code's security status.

Key Security Capabilities

Basic Features

  • Software Composition Analysis (SCA): Scans project dependencies for security issues and highlights vulnerable components. If a fix is available, you can upgrade to the secure version with a single click.
  • CVE Research and Enrichment: Provides enhanced CVE data from the JFrog Security Research team, helping you prioritize vulnerabilities based on:
    • JFrog Severity: Custom severity rating based on real-world exploitability.
    • Research Summary: Detailed technical analysis explaining vulnerability conditions.
    • Remediation: Fixes and mitigation strategies recommended by JFrog experts.
  • Stay Informed: Follow JFrog’s research team for updates on newly discovered security issues at JFrog Security Research.

Advanced Features

Requires Xray 3.66.5+ and Enterprise X / Enterprise+ with Advanced DevSecOps

  • CVE Contextual Analysis: Reduces false positives by assessing whether a vulnerability is applicable based on the code context. Supported for Python, Java, and JavaScript.
  • Secrets Detection: Identifies exposed keys and credentials in source code to prevent accidental leaks.
  • Infrastructure as Code (IaC) Scan: Secures Terraform files by detecting misconfigurations that could compromise cloud infrastructure.

Additional Benefits

  • Security issues are marked inline for easy identification.
  • Contextualized security reports display issue severity, impact, and recommended fixes.
  • Consolidated security insights available in the JFrog tab within JetBrains IDEs.
  • Quick-fix functionality enables seamless dependency upgrades when fixes are available.
  • Track build status, testing results, and security scans during CI/CD workflows.

Supported JetBrains IDEs

The JFrog Plugin is compatible with the following JetBrains IDEs:

  • IntelliJ IDEA
  • WebStorm
  • PyCharm
  • Android Studio
  • GoLand
  • Rider
  • CLion

Supported Technologies

Software Composition Analysis (SCA)

JFrog supports the following package managers for JetBrains IDEs:

  • Go
  • Maven
  • Gradle
  • npm
  • Yarn v1
  • Yarn v2
  • Pip
  • Pipenv
  • Poetry

Additional SCA Capabilities

  • License Violations detection.
  • Autofix for direct dependencies.

JFrog Advanced Security

JFrog supports the following advanced security features for JetBrains IDEs:

  • Contextual Analysis
  • Secrets Detection
  • Infrastructure as Code (IaC) Security Scanning
  • Static Application Security Testing (SAST)

Installation

Step 1: Install the JFrog Plugin

  • Install the JFrog Plugin via the Plugins tab in the IDE settings or from JetBrains Marketplace.

Step 2: Connect IntelliJ IDEA to Your JFrog Environment

You can connect the plugin to your JFrog environment using one of the following methods:

Using the IDE Settings

  1. Once the plugin is installed, open Settings (Preferences) > Other Settings > JFrog Global Configuration.
  2. Enter your JFrog Platform URL and login credentials.
  3. Click Test Connection to verify connectivity to Xray.
  4. If your JFrog Platform instance is behind an HTTP proxy, configure the proxy settings as described here.
    • Manual proxy configuration is supported from version 1.3.0.
    • Auto-detect proxy settings is supported from version 1.7.0.

Using Environment Variables

  1. Open Settings (Preferences) > Other Settings > JFrog Global Configuration.
  2. Enable Load connection details from environment variables.
  3. Set the required environment variables:
    • JFROG_IDE_PLATFORM_URL – JFrog Platform URL
    • You can provide basic authentication credentials or an access token.
📘

For security reasons, it is recommended to unset environment variables after launching the IDE.

Step 3: Start Using the Plugin

Once connected, you can start using the JFrog plugin within IntelliJ IDEA.

📘

If your JFrog Platform instance uses a domain with a self-signed certificate, add the certificate to IntelliJ IDEA as described here.

Xray Permissions:

Xray 1.9 to 2.x: Users must be granted the "View Components" action.

Xray 3.x and later: Users require "Read" permission to connect. More details here.

Manage

Access Plugin Settings

Click on the gear icon in the JFrog panel to access the plugin settings.

Downloading External Resources Through Artifactory

The JFrog Plugin requires external resources for scanning projects. By default, these resources are downloaded from https://releases.jfrog.io. If the machine running the IDE does not have access to this URL, configure Artifactory as a proxy:

Configure Artifactory as a Proxy

  1. Log in to the JFrog Platform UI as an administrator.

  2. Create a Remote Repository with the following settings:

    • Basic Tab:
      • Package Type: Generic
      • Repository Key: jfrog-releases-repository
      • URL: https://releases.jfrog.io
    • Advanced Tab:
      • Uncheck Store Artifacts Locally.

  3. In the JFrog Plugin settings, navigate to JFrog Global Configuration > Advanced.

  4. Click Download resources through Artifactory.

  5. Enter the Repository Key you created in the Repository Key field.

  6. Alternatively, set the environment variable:

    plaintextCopyEditJFROG_IDE_RELEASES_REPO = [Repository Key]

Applying Xray Policies and Watches

The JFrog Plugin can enforce security policies created in JFrog Xray. Policies define security rules and automated actions that are applied when linked to Watches.

Using a JFrog Project

If your policies are associated with a JFrog Project, follow these steps:

  1. Create a JFrog Project or obtain an existing Project Key.
  2. Create a Policy in JFrog Xray.
  3. Create a Watch in JFrog Xray and assign your Policy and Project to it.
  4. Configure the Project Key in the plugin settings:
    • Go to Settings (Preferences) > Other Settings > JFrog Global Configuration.
    • Navigate to the Settings tab and enter the Project Key.

Using Xray Watches

If your policies are managed through Xray Watches, follow these steps:

  1. Create one or more Watches in JFrog Xray.
  2. Configure the Watches in the plugin settings:
    • Go to Settings (Preferences) > Other Settings > JFrog Global Configuration.
    • Navigate to the Settings tab and enter the Watch details.

Quick Start

Modes of Operation

The JFrog Plugin offers two modes: Local and CI. You can switch between them using the JFrog Panel tabs at the IDE's bottom.

Local View

  • Displays information about the local code as it is being developed in the IDE.
  • Enables continuous scanning of your project with the JFrog Platform.
  • Identifies security vulnerabilities in dependencies and source code before they become part of the final product.
  • To scan your project, click the Run Scan button in the JFrog panel.

CI View

  • Tracks code as it is built, tested, and scanned by a CI server.
  • Displays build status and includes a link to the CI server log.
  • Provides security information about build artifacts and dependencies.
  • Accessible through the JFrog Panel > CI Tab.

Severity Icons

The plugin uses severity icons to indicate the highest severity issue within a selected component and its transitive dependencies.

IconSeverityDescription
CriticalIssue with critical severity
HighIssue with high severity
MediumIssue with medium severity
LowIssue with low severity
UnknownIssue with unknown severity
Not ApplicableCVE issue not applicable to source code
NormalNo issues (used only in CI view)

How Does it Work?

  • The CI information displayed in the IDE is fetched from JFrog Artifactory.
  • Build details are stored as build-info, published to Artifactory by the CI server.
  • If JFrog Xray scans build-info, the plugin will display the scan results in the CI View.

Setting Up CI Integration

Before the CI View can display data, configure your CI pipeline to expose build information:

  1. Go to Settings (Preferences) > Other Settings > JFrog Global Configuration.
  2. Configure your JFrog Platform URL and user credentials.
  3. Navigate to Settings (Preferences) > Other Settings > JFrog CI Integration.
  4. Set your CI Build Name Pattern – this should match the build name published to Artifactory.
    • Use * to view all builds published to Artifactory.
  5. Click Apply, then open the CI Tab in the JFrog panel.
  6. Click Refresh to fetch and display build details.

How-Tos

Software Composition Analysis (SCA)

Each descriptor file (e.g., pom.xml for Maven, go.mod for Go) contains vulnerable dependencies.

  1. Right-click a dependency to:
    • Jump to its declaration in the descriptor file.
    • Upgrade it to a fixed version (if available).
  2. To view the details of a vulnerability, select one from the list.

Vulnerability details include:

  • Vulnerable component information.
  • Fixed versions.
  • Impact paths and more.

CVEs Contextual Analysis

Requires Xray 3.66.5+ and an Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

  • Automatically validates high-impact vulnerabilities.
  • Provides contextual analysis data, including:
    • Status – Indicates whether a CVE is applicable.
    • Breakdown – Explains why a CVE is applicable or not.
    • Remediation – Offers mitigation steps from JFrog's research team.

Secrets Detection

Detects secrets exposed in the code to prevent leaks of internal tokens or credentials.

Requires Xray 3.66.5+ and an Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

  1. To ignore detected secrets, add a comment above the line with the secret:

    plaintextCopyEdit// jfrog-ignore

Infrastructure as Code (IaC) Scanning

Requires Xray 3.66.5+ and an Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

  • Scans Terraform files for cloud and infrastructure misconfigurations.

Troubleshooting

Viewing Plugin Logs

The JFrog Plugin logs events in the IDE log files. By default, the log level is set to INFO.

To increase the log level to DEBUG:

  1. Navigate to Help > Diagnostic Tools > Debug Log Settings...

  2. In the Custom Debug Log Configuration window, add the following line:

    plaintextCopyEdit#com.jfrog.ide.idea.log.Logger

  3. To view the IDE log file, go to Help > Show Log in Explorer/Finder/Konqueror/Nautilus (depending on your OS and IDE version). Learn more here.

Reporting Issues

To report an issue, please open a GitHub issue.

Android Studio Support for JCEF

The JFrog Plugin uses JCEF (Java Chromium Embedded Framework) for webview components in the plugin's tool window.

  • Most IntelliJ-based IDEs include JCEF by default.
  • Android Studio and some older versions of IntelliJ-based IDEs do not include JCEF in their boot runtime, preventing the plugin from loading.

Enable JCEF support in Android Studio

  1. Open the Choose Boot Runtime for the IDE dialog.
  2. Select a boot runtime that includes JCEF.

Updated 2 months ago