Python

Introduction

JFrog Xray provides security and compliance analysis for Python applications throughout the software development lifecycle. This page describes the supported scan contexts, package managers, capabilities, and dependency analysis available for Python.

Capabilities

Capability	Source Code Scanning	Binary Scanning
Vulnerability Matching (CVEs)	✅	✅
License Detection	✅	✅
Malicious Package Detection	✅	✅
Operational Risk	❌	❌
Smart Remediation	🔜	🔜

Source code scanning analyzes your project's dependency manifest files to identify components and their vulnerabilities. This is used by JFrog CLI (jf audit), Frogbot, IDE integrations, and CI pipelines.

Supported Files

Package Manager	Supported Files
PyPI (pip)	`requirements.txt`
Conda	❌ Not supported

Dependency Graph

Package Manager	Dependency Graph
PyPI	❌ Flat (no parent-child relationships)

Additional Information

Python source code scanning via jf audit requires pip and requirements.txt. Frogbot V3 will expand support to poetry, pipenv, uv, and setuptools formats. Conda is supported only through binary scanning.