Conan

Introduction

Conan is the primary C/C++ package manager supported by JFrog Xray. Conan packages follow a reference format (name/version@user/channel) and use recipe files (conanfile.txt or conanfile.py) to declare dependencies.

This page provides a detailed breakdown of Conan-specific scanning support across all scan contexts.

Capabilities

Capability	Source Code Scanning	Binary Scanning
Vulnerability Matching (CVEs)	✅	✅
License Detection	✅	✅
Malicious Package Detection	✅	✅
Operational Risk	❌	❌
Smart Remediation	❌	❌

SCA capabilities are not currently available for Conan in the source code scanning context via jf audit.

Supported Files

File	Supported
`conanfile.txt`	❌ Not supported
`conanfile.py`	❌ Not supported
`conan.lock`	❌ Not supported

Best Practices

Practice	Recommendation
Use `conanfile.txt` over `.py`	Simpler format with more reliable parsing
Pin exact versions	Use `boost/1.82.0` instead of version ranges for accurate scanning
Store in Artifactory	Binary scanning provides the richest analysis for Conan
Use Conan revisions	Enables precise package identification in Artifactory