Visual Studio Code

The JFrog Extension for Visual Studio Code seamlessly integrates JFrog Xray and JFrog Advanced Security into the developer workflow, enabling security scanning and remediation directly within the IDE. By identifying vulnerabilities, exposed secrets, and infrastructure misconfigurations as you code, the extension helps developers address security issues before they reach production—reducing risk and remediation costs. Developers gain inline security insights with clear contextual information and impact assessments, along with effortless remediation through fix recommendations and one-click dependency upgrades.

Package Manager Prerequisites

Go Projects

Prerequisite: Ensure that the Go CLI is installed and accessible in your system PATH.

The JFrog VS Code Extension scans all project dependencies, both direct and transitive, even if they are not explicitly declared in go.mod. To construct the Go dependencies tree, it runs go mod graph and intersects the results with go list -f '{{with .Module}}{{.Path}} {{.Version}}{{end}}' all.

Maven Projects

The extension builds the Maven dependency tree by executing mvn dependency:tree. It enables developers to view licenses and top-issue severities directly from the pom.xml.

📘
Ensure Maven is installed and that the mvn command is available in your system PATH.
If your project includes the Maven Dependency Plugin with include/exclude configurations, scanning will be disabled.

For example:

      <plugins>
        <plugin>
          <groupId>org.apache.maven.plugins</groupId>
          <artifactId>maven-dependency-plugin</artifactId>
          <configuration>
            <includes>org.apache.*</includes>
          </configuration>
        </plugin>
      </plugins>

Npm Projects

The extension builds the npm dependency tree using npm list. It provides insights into licenses and top-issue severities directly from package.json.

Prerequisites:

Ensure the npm CLI is installed and in your system PATH.
Dependencies must be installed using npm install before scanning.

Yarn v1 Projects

The extension builds the Yarn dependency tree using yarn list, displaying license and security issue details from yarn.lock.

Prerequisites:

Ensure the Yarn CLI is installed and in your system PATH
Yarn v2 is not yet supported

Pypi Projects

The extension constructs the PyPi dependency tree using pipdeptree your Python virtual environment. It also relies on the Python interpreter path configured in the VS Code Python extension.

Prerequisites:

Install the VS Code Python extension.
Ensure Python (2 or 3) is available in your system PATH.
Set up and activate a virtual environment following VS Code documentation:
- Mac/Linux: source <venv-dir>/bin/activate
- Windows: .<venv-dir>\Scripts\activate
Install your project dependencies within the activated virtual environment.

.NET Projects

For .NET projects using NuGet packages, the extension visualizes the NuGet dependencies tree along with relevant details.

Prerequisites:

If your project defines NuGet dependencies in packages.config, ensure the nuget CLI is installed and available in your system PATH.
Restore project dependencies using nuget restore or dotnet restore before scanning.
Click the Refresh button after restoring dependencies to update the tree view.

Supported Technologies

JFrog Advanced Security Supported Technologies

See Jfrog Advanced Security supported technologies for:

Software Composition Analysis (SCA) Supported Technologies

For SCA, the command automatically detects your project's package manager and constructs the dependency graph; if the project hasn't been installed yet, the system executes an install command to generate the dependency tree for scanning.

Supported Package Managers for Visual Studio Code:

Go
Maven
npm
pnpm
Yarn
Pip
Pipenv
Poetry
.NET CLI
NuGet

Installation

The extension can be installed from the VS Code Extensions Marketplace. Once installed, a JFrog tab will appear in the activity bar.

Connect VS Code to the JFrog Platform

After installing the JFrog extension:

Click on the JFrog tab in the activity bar.
This will open the Sign-in page.
Fill in your connection details and click Sign In to start using the extension.
- To use custom URLs for Artifactory or Xray, click on Advanced.
- You can also choose alternative authentication methods:
  - Single Sign-On (SSO)
  - JFrog CLI's Connection Details

Connect Using SSO

On the sign-in page, click Continue with SSO.
Enter your JFrog platform URL and click Sign in With SSO.
You will be redirected to your SSO login page.
Once authenticated, you will be signed in to VS Code.

Connect Using JFrog CLI Connection Details

If JFrog CLI is installed and configured with your JFrog Platform details, a notification will appear on the Sign-in page, indicating automatic detection of credentials.

Manage

Access Extension Settings

Click on the gear icon in the JFrog tab to access the extension settings.

Exclude Paths from Scan

By default, paths containing .git, test, venv, and node_modules are excluded from Xray scans. You can modify the exclusion patterns in the Extension Settings.

Proxy Configuration

If your JFrog environment is behind an HTTP/S proxy:

Navigate to Preferences → Settings → Application → Proxy.
Set the proxy URL under Proxy.
Ensure 'Proxy Support' is set to override or on.
Alternatively, use the HTTP_PROXY and HTTPS_PROXY environment variables.

Proxy Authorization

If your proxy server requires credentials:

Follow the proxy configuration steps above.
Encode your credentials in Base64 format: [Username]:[Password].
In settings.json, add:

"http.proxyAuthorization": "Basic [Encoded credentials]"

For access token authorization, use:

"http.proxyAuthorization": "Bearer [Access token]"

Downloading External Resources Through Artifactory

If your machine lacks access to https://releases.jfrog.io, configure Artifactory to act as a proxy:

Log in to the JFrog Platform UI as an admin.
Create a Remote Repository with these settings:
- Basic Tab:
  - Package Type: Generic
  - Repository Key:** jfrog-releases-repository**
  - URL: https://releases.jfrog.io
- Advanced Tab:
  - Uncheck Store Artifacts Locally. This reduces storage.
In the JFrog VS Code Extension Settings, enter the repository key you created.
Alternatively, set the JFROG_IDE_RELEASES_REPO environment variable with the repository key.

Xray Policies and Watches

You can configure JFrog VS Code Extension to enforce security policies set in Xray:

Using a JFrog Project

Create a JFrog Project or obtain an existing project key.
Create a Policy in JFrog Xray.
Create a Watch in Xray and assign your policy and project to it.
Configure the project key in Extension Settings.

Using Xray Watches:

Create one or more Watches in Xray.
Configure the Watches in Extension Settings.

Troubleshooting

Adjust the log level to debug, info, warn, or err in the Extension Settings to diagnose issues effectively.

Quick Start

The JFrog VS Code Extension offers two operating modes: Local and CI. You can switch between them using the respective buttons next to the components tree.

Modes of Operation

Local View

Displays information about the local code as it is being developed in VS Code.
Enables continuous scanning of your workspace.
Shows security vulnerabilities in dependencies and source code before they become part of the final product.
To scan your workspace:
- Click the Scan/Rescan button in the extension tab, or
- Select Start Xray Scan from the editor.

CI View

Tracks code as it is built, tested, and scanned by a CI server.
Displays build status and includes a link to the CI server log.
Provides security information about build artifacts and dependencies.
Accessible through the JFrog Panel after switching to CI mode.

Severity Icons

You may substitute the icons below with actual image assets if desired (e.g., SVGs).

Icon	Severity	Description
🔴	Critical	Issue with critical severity
🟠	High	Issue with high severity
🟡	Medium	Issue with medium severity
🟢	Low	Issue with low severity
⚪	Unknown	Issue with unknown severity
🚫	Not Applicable	CVE issue not applicable to source code

Setting Up Your CI Pipeline

Before the CI View can display data, the CI pipeline must be configured correctly. Follow the guide on how to configure your CI pipeline to expose this data.

Setting Up the CI View

Before the CI View can display data, your CI pipeline must be configured correctly.

In Extension Settings, set the Build name pattern to match the build name published to Artifactory.
Use * to view all builds published to Artifactory.
After fetching builds from Artifactory, click the Builds button to select which build to display.

Hot-Tos

Analyze Your Results

Viewing Vulnerabilities

The JFrog extension features a file tree displaying all vulnerabilities detected within the project. Each affected file appears as a tree node.

Descriptor files (e.g., pom.xml in Maven, go.mod in Go) outline available direct dependencies. If a direct dependency contains vulnerable child dependencies, the tree will display those, denoted with an '(indirect)' postfix.
Additional vulnerability nodes, such as Contextual Analysis Vulnerabilities (when applicable), hard-coded secrets, and SAST, may appear in other source files.

Each file node is interactive—click to expand and navigate to the corresponding file in the IDE. The extension highlights vulnerable lines for better visibility.

Locations with vulnerabilities are marked in the editor.
Click the light bulb icon next to a vulnerable line to jump to its entry in the tree view.
Clicking on a CVE entry will open the issue’s location in the editor along with a vulnerability details view that includes impacted components, fixed versions, and impact paths.

CVE Research and Enrichment

For selected security issues, the JFrog Security Research team provides enriched CVE data to help prioritize fixes:

JFrog Severity: JFrog Security’s assessment of the CVE’s likelihood of exploitation.
Research Summary: Detailed conditions explaining CVE applicability.
Remediation Steps: Fix and mitigation options.

Vulnerability Contextual Analysis

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

Xray automatically analyzes high-impact vulnerabilities to determine their real-world applicability.
This includes:

Contextual Analysis Status: Indicates if a CVE is applicable to your application.
Breakdown: Explanation of why a CVE is relevant or not.
Remediation Guidance: Contextual mitigation steps for fixing vulnerabilities.

Static Application Security Testing (SAST)

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

JFrog SAST scans detect vulnerabilities such as:

Injection Attacks (SQL, Command, Code, SSRF)
Unsafe API Usage (encryption, cryptographic signing, file operations)

SAST findings help developers track vulnerabilities efficiently:

Data Flow Analysis: Maps the vulnerability’s lifecycle from entry to execution.
Fix Steps: Provides recommended fixes and mitigation strategies.
Risk Assessment: Severity classification to prioritize fixes effectively.

Secrets Detection

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

Detect exposed secrets (e.g., API tokens, credentials) within code to prevent accidental leaks.

To ignore a detected secret, add a comment with jfrog-ignore above the affected line.

Infrastructure as Code (IaC) Scan

Requires Xray v3.66.5+ and Enterprise X/Enterprise+ subscription with Advanced DevSecOps.

Scan Infrastructure as Code (Terraform) files for early detection of cloud and infrastructure misconfigurations.

Resolve Issues

Quick Fix

Update a vulnerable direct dependency to a fixed version directly from the vulnerable location in the editor using the quick fix feature.

Ask Copilot to Fix

📘
Available with the Unified Security Bundle or the Ultimate Security Bundle

📘
The information and documents generated by your AI system may contain errors, omissions, or inaccuracies and should not be relied upon without independent review and verification. Users are responsible for reviewing all AI-generated actions and results for accuracy, completeness, and suitability for their specific needs before making any decisions or taking any actions based on such output.

📘
You can resolve CVEs, SAST findings, exposed secrets, and IaC misconfigurations

Sends the issue context and JFrog’s remediation suggestion (upgrade or code patch) to Copilot for an IDE-native fix.

When you select Ask Copilot to Fix, the assistant sends the issue context and JFrog’s remediation suggestion to Copilot. Remediations can be either:

Upgrade dependency (bump a package version), or
Patch the code (apply a code change to remove the vulnerable pattern).

If the remediation is upgrade dependency and a JFrog remote MCP server is available, Copilot is instructed to ensure the proposed upgrade meets your Curation policy before applying it.
Enable the JFrog Remote MCP server

Before You Begin

Ensure you have:

GitHub Copilot installed
(Optional) Enabled the JFrog remote MCP to have dependency upgrades checked against your Curation policy

Procedure

In the JFrog extension pane, right-click a listed vulnerability under a specific file (SAST, Secrets, IaC, and CVEs) and select Ask Copilot to Fix.
A Copilot chat pre-filled with issue context opens and prompts Copilot to suggest a fix. If Copilot proposes a dependency upgrade and remote MCP is enabled, it will only choose a version allowed by your Curation policy.