Try JFrog
Guides
Contact SupportTry JFrog
  1. advanced-security
  2. How-Tos

Package Applications in Docker for Contextual Analysis

Use case: You need binary vulnerability contextual analysis (applicability scanning) on container images with Advanced Security. Xray runs contextual analysis on Docker and OCI repositories by unpacking image layers and analyzing the code and binaries inside them.

If you scan source code with the JFrog CLI, Frogbot, or an IDE integration, you can enable contextual analysis without Docker. Use this guide when you need applicability results for built artifacts packaged in container images.

Before You Begin

You need the following:

  • JFrog Xray with Advanced Security enabled.
  • A local or remote Docker or OCI repository in Artifactory.
  • Permission to push images to Artifactory and configure Xray indexed resources.
  • For self-hosted environments: outbound network access from Xray to releases-docker.jfrog.io so Advanced Security scanning helper images can be pulled.
📘

Note

Contextual analysis is enabled per repository type. At the platform level, contextual analysis applies to Docker, OCI, Maven, and Gradle repositories. NuGet repositories do not support contextual analysis directly. For C# and .NET binary applicability, package built artifacts inside a Docker or OCI image.

Package Applications Inside the Container

For contextual analysis to run on a container image, packages and dependencies must be physically present inside image layers. Xray recursively unpacks layers and analyzes embedded files.

If a dependency appears only in a metadata file (such as pom.xml, package.json, or *.csproj) but the physical libraries are not copied into the image, Xray cannot analyze them for contextual analysis. Affected CVEs may show Not Scanned or be omitted from applicability results.

Java (Maven and Gradle)

When you package Java applications inside Docker, build a fat JAR or Uber JAR so dependencies are physically archived inside the JAR, then copy that JAR into the image.

For a Maven example, see Create an Uber JAR for Contextual Analysis.

📘

Note

Java contextual analysis is also supported on Maven and Gradle repositories for Uber JAR and fat JAR artifacts without containerizing them. This guide focuses on the Docker packaging path.

JavaScript and npm

Place node_modules and application source inside the image layers.

As a recommended practice, avoid fully minifying or uglifying production JavaScript inside the container when you need contextual analysis. Heavy minification can obfuscate function and variable names and make it harder for the engine to map function calls and determine reachability.

C# and NuGet

Binary contextual analysis for C# and .NET is supported inside Docker (and OCI) container images. Place compiled executables and *.dll files inside image layers.

When you publish a .NET application, include the full publish output:

  • Application binaries (*.dll, *.exe)
  • Dependency manifest (*.deps.json)
  • Runtime configuration (*.runtimeconfig.json), when applicable

Example Dockerfile:

FROM mcr.microsoft.com/dotnet/runtime:8.0
WORKDIR /app
COPY ./publish/ .

Binary contextual analysis for .NET binaries in Docker requires Xray 3.95.4 or later. For binary scanning details, see C# / .NET.

C and C++ (Conan)

Place compiled executables and C++ binaries inside image layers so Xray can analyze them during container scanning. Binary contextual analysis for C and C++ is supported inside Docker per Supported Technologies.

Configure the Platform and Repository

After you package the image correctly, configure the JFrog Platform to analyze it.

Enable Advanced Security on the Docker Repository

Advanced Scans apply to newly added artifacts in the repository by default. For images already in the repository, trigger a one-time advanced scan after you enable contextual analysis.

  1. Navigate to Administration > Xray Settings > Indexed Resources.
  2. Add the Docker or OCI repository if it is not already indexed.
  3. Select the repository and click Configure.
  4. Under Advanced Security, enable the scanners you need:
    • Vulnerabilities Contextual Analysis
    • Secrets
    • Applications
    • Services
  5. Under Scope, select Scan all artifacts or Scan by pattern for specific image paths.
  6. Save the configuration.

For one-time scans of existing images, see Enable Advanced Scans for Repositories.

Self-Hosted Registry Access

On self-hosted environments, the Xray instance must have outbound network access to releases-docker.jfrog.io to pull Advanced Security scanning helper images configured in Xray, including:

  • jfrog/xray-jas-contextual-analysis (contextual analysis scanning image)
  • jfrog/xray-jas-exposures (exposures scanning image)

These image names are defined in the Xray default configuration (contextualAnalysis.registry and exposures.container.registry).

Push the Image and Review Results

  1. Build and tag your image for your Artifactory Docker repository.
  2. Push the image:
docker push <ARTIFACTORY_URL>/<DOCKER_REPOSITORY>/my-app:1.0.0
  1. Navigate to Application > Xray > Scans List.
  2. Open the scan for your Docker image.
  3. Select a CVE and open the Contextual Analysis tab to review applicability status and evidence.

Xray unpacks image layers and scans embedded application dependencies, including NuGet, npm, Maven, Go, and PyPI components. For container scanning behavior, see Docker / OCI.

Run Contextual Analysis Locally (Shift-Left)

To run contextual analysis on a local image before pushing to Artifactory, use the JFrog CLI with Advanced Security enabled:

jf docker scan <image-name>:<tag>

This command extracts the container locally, runs Advanced Security scanners (including contextual analysis for Docker images), and returns applicability results in your terminal or continuous integration pipeline.

For command options and examples, see Scan Your Binaries.

Try a Demo Image (Optional)

During a proof of concept, you can pull and scan a prebuilt demo image from the JFrog demo environment:

productdemo.jfrog.io/jas-demo-containers/ics:latest

This image is intended to demonstrate applicable and not applicable contextual analysis findings in the user interface.

Limitations

  • Binary contextual analysis support varies by language. See Supported Technologies.
  • NuGet DLL detection inside containers applies to third-party NuGet packages.
  • Contextual analysis requires an Advanced Security license and a supported Xray version.
  • If a CVE shows Missing Context for a non-container artifact, scanning the same binaries inside a Docker repository on the platform can resolve applicability. See Contextual Analysis of CVEs.