Try JFrog
Guides
Contact SupportTry JFrog
  1. xray
  2. Snippet Detection

How to Run Snippet Detection

Step-by-step instructions for running snippet detection scans using Frogbot V3 and JFrog CLI.

This guide walks you through running Snippet Detection scans using Frogbot V3 and the JFrog CLI. Snippet Detection identifies the origin of code snippets in your source code — whether generated by AI, copied from the web, or extracted from another repository — and surfaces the security and license risks they carry.

Prerequisites

Before using Snippet Detection, ensure the following requirements are met.

  • Entitlement: JFrog Unified Security bundle or higher. Snippet Detection is included as part of the Unified Security entitlement.
  • Platform Requirements: A JFrog Platform Deployment (JPD) with access to the JFrog Catalog service. The Catalog service must be available and reachable by the JPD.
  • Version Requirements:
ToolMinimum Version
JFrog CLIv2.95.0 or later
Frogbotv3.0.0 or later

Run Snippet Detection with Frogbot V3

Frogbot V3 can automatically scan pull requests for snippet-level risks as part of your source control workflow. The recommended approach is to enable snippet scanning through the centralized platform configuration, which manages scan settings from the JFrog Platform UI without requiring changes to individual repository configuration files.

📘

Frogbot V3 is required for snippet detection.

Step 1: Configure Snippet Detection in the Platform

  1. In the JFrog Platform, navigate to Administration > Xray Settings > Indexed Resources, and select the Git Repositories tab.
  2. Select one or more Git repositories or folders that you want to scan.
  3. From the actions menu, select Configure.
    The Scan Configurations dialog opens.
  4. Enable Snippet Detection as a scan type alongside your other desired scanners (SCA, Contextual Analysis, IaC, Secrets, SAST).
  5. Click Apply.

Configuration settings defined in the platform are inherited by sub-folders and future repositories, so you can set this once at a higher level and have it apply broadly.

For full details on managing Git repository configurations, see Git Repository Configuration.

Step 2: Trigger a Scan

Once configured, Frogbot will automatically include snippet detection in its pull request scans. Open a pull request in any configured repository, and Frogbot will:

  • Analyze the source code in the PR for code snippets matching public open-source repositories.
  • Report any license compliance violations or security findings directly on the pull request.
  • Provide scan results in the JFrog Platform under Xray > Scans List.

Run Snippet Detection with JFrog CLI

You can run snippet detection scans directly from your terminal or as a step in your CI/CD pipeline using the JFrog CLI.

Step 1: Configure the JFrog CLI

Add your JFrog Platform server and set it as the active configuration:

jf c add <server-id> --url=<jpd-url> --access-token=<token>
jf c use <server-id>

For more details, see the JFrog CLI documentation.

Step 2: Navigate to Your Project Directory

Open a terminal and set your current directory to the project directory you want to scan:

cd /path/to/your/project
📘

Alternatively, you can specify the directory using the --working-dirs flag without changing directories.

Step 3: Run the Audit Command

Execute the jf audit command with the snippet detection flags:

jf audit --sca --sbom --static-sca --snippet --watches=<your-watch-name>
FlagDescription
--scaEnables Software Composition Analysis scanning.
--sbomGenerates a Software Bill of Materials for the scan.
--static-scaEnables static source code analysis for component detection.
--snippetActivates snippet detection to identify code provenance at the function level.
--watchesSpecifies the Xray watch to evaluate policy violations against. Comma-separated for multiple watches.
📘

Instead of --watches, you can use --project=<project-key> to evaluate against all policies associated with a JFrog project.

Understanding the Results

After the scan completes, the CLI displays:

  • License Compliance Violations — any snippets whose originating open-source project carries a license that violates your policy.
  • Software Bill of Materials (SBOM) — a list of detected open-source components, including snippet matches.
  • A link to the full results in the JFrog Platform under Xray > Scans List > Repositories.
📘

Scan results are retained for seven days in the JFrog Platform before being automatically deleted.

Example

$ jf c use my-server
Using server ID 'my-server' (https://my-instance.jfrog.io/)

$ cd /path/to/my-project

$ jf audit --sca --sbom --static-sca --snippet --watches=license-watch
####### Starting jf audit Scan #######
Command flags: [--sbom=true --sca=true --snippet=true --static-sca=true --watches=license-watch]
####### jf audit Scan Finished #######

License Compliance Violations
┌──────────────────┬──────────┬────────────┬───────────────┬────────────┬────────┬──────────────┐
│ LICENSE          │ SEVERITY │ DIRECT     │ IMPACTED      │ IMPACTED   │ TYPE   │ WATCH NAME   │
│                  │          │ DEPENDENCY │ DEPENDENCY    │ VERSION    │        │              │
├──────────────────┼──────────┼────────────┼───────────────┼────────────┼────────┼──────────────┤
│ GPL-2.0-or-later │ High     │ ffmpeg     │ ffmpeg:ffmpeg │ snippet    │ Github │ license-watch│
└──────────────────┴──────────┴────────────┴───────────────┴────────────┴────────┴──────────────┘

Software Bill of Materials (SBOM)
┌──────────────────────────────┬─────────┬────────┬──────────┐
│ COMPONENT                    │ VERSION │ TYPE   │ RELATION │
├──────────────────────────────┼─────────┼────────┼──────────┤
│ ffmpeg/ffmpeg                │ snippet │ Github │ Root     │
└──────────────────────────────┴─────────┴────────┴──────────┘

Updated 2 days ago