Frogbot is a Git bot that scans your pull requests with JFrog Xray for security vulnerabilities. Frogbot can be easily triggered following the creation of a new pull request. Frogbot adds the scan results as a comment on the pull request. If no vulnerabilities are found, Frogbot will also add a comment, confirming this. Currently GitHub and GitLab are supported. Bitbucket will be supported soon.
After a new pull request is created, one of the maintainers can add the "Frogbot scan" label to the pull request. Frogbot will then be triggered and the pull request will be scanned. The scan output will include only new vulnerabilities added by the pull request. Vulnerabilities that existed in the code prior to the pull request created will not be added to the report.
If no vulnerabilities were found, Frogbot will automatically add the following comment to the pull request:
If vulnerabilities were found, Frogbot will mention them in a comment to the pull request. For example:
| SEVERITY | IMPACTED PACKAGE | VERSION | FIXED VERSIONS | COMPONENT | COMPONENT VERSION | CVE |
|---|---|---|---|---|---|---|
 High |
github.com/nats-io/nats-streaming-server | v0.21.0 | [0.24.1] | github.com/nats-io/nats-streaming-server | v0.21.0 | CVE-2022-24450 |
| High |
github.com/mholt/archiver/v3 | v3.5.1 | github.com/mholt/archiver/v3 | v3.5.1 | ||
 Medium |
github.com/nats-io/nats-streaming-server | v0.21.0 | [0.24.3] | github.com/nats-io/nats-streaming-server | v0.21.0 | CVE-2022-26652 |
For a quick start, please refer to our GitHub Actions templates.
- User opens a Pull Request
- If missing, Frogbot creates a label
πΈ frogbot scanin the repository - A maintainer reviews the Pull Request and assigns
πΈ frogbot scan - Frogbot gets triggered by the label, unlabels it, and executes the pull request scanning
Here's a recommended structure of a frogbot.yml workflow file:
name: "Frogbot"
on:
# After a pull request opened, Frogbot automatically creates the "πΈ frogbot scan" label if needed.
# After "πΈ frogbot scan" label was added to a pull request, Frogbot scans the pull request.
pull_request_target:
types: [opened, labeled]
jobs:
scan-pull-request:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
with:
ref: ${{ github.event.pull_request.head.sha }}
# Install prerequisites - "setup-go", "setup-node", "setup-python", etc.
# ...
- uses: jfrog/frogbot@v1
env:
# [Mandatory] JFrog platform URL
JF_URL: ${{ secrets.JF_URL }}
# [Mandatory if JF_USER and JF_PASSWORD are not provided] JFrog access token with 'read' permissions on Xray service
JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}
# [Mandatory if JF_ACCESS_TOKEN is not provided] JFrog platform username
JF_USER: ${{ secrets.JF_USER }}
# [Mandatory if JF_ACCESS_TOKEN is not provided] JFrog platform password
JF_PASSWORD: ${{ secrets.JF_PASSWORD }}
# [Mandatory] The GitHub token is automatically generated for the job
JF_GIT_TOKEN: ${{ secrets.GITHUB_TOKEN }}
# [Optional] Xray Watches. Learn more about them here: https://www.jfrog.com/confluence/display/JFROG/Configuring+Xray+Watches
JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
# [Optional] JFrog project. Learn more about it here: https://www.jfrog.com/confluence/display/JFROG/Projects
JF_PROJECT: <project-key>
# [Optional] The command that installs the dependencies. For example - "npm i", "nuget restore", "dotnet restore", "pip install", etc.
JF_INSTALL_DEPS_CMD: <your-install-command>- User opens a Merge Request
- A maintainer reviews the Merge Request and runs the manual frogbot-scan job
Here's a recommended structure of frogbot-scan job in a .gitlab-ci.yml:
frogbot-scan:
rules:
- if: $CI_PIPELINE_SOURCE == 'merge_request_event'
when: manual
variables:
# [Mandatory] JFrog platform URL
JF_URL: $JF_URL
# [Mandatory if JF_ACCESS_TOKEN is not provided] JFrog user and password with 'read' permissions on Xray service
JF_USER: $JF_USER
JF_PASSWORD: $JF_PASSWORD
# [Optional] The command that installs the project dependencies (e.g "npm i", "nuget restore" or "dotnet restore")
JF_INSTALL_DEPS_CMD: ""
# [Mandatory] GitLab accesses token with the following permissions scopes: api, read_api, read_user, read_repository
JF_GIT_TOKEN: $USER_TOKEN
# Predefined gitlab variables
JF_GIT_PROVIDER: gitlab
JF_GIT_OWNER: $CI_PROJECT_NAMESPACE
JF_GIT_REPO: $CI_PROJECT_NAME
JF_GIT_BASE_BRANCH: $CI_MERGE_REQUEST_TARGET_BRANCH_NAME
JF_GIT_PULL_REQUEST_ID: $CI_MERGE_REQUEST_IID
script:
- curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v1/[RELEASE]/getFrogbot.sh" | sh
- ./frogbot scan-pull-request
Download Frogbot using the following command:
curl -fLg "https://releases.jfrog.io/artifactory/frogbot/v1/[RELEASE]/getFrogbot.sh" | shDownload Frogbot through Artifactory
If your agent has no internet access, you can configure the pipeline to download Frogbot and from a JFrog Artifactory instance, which is configured to proxy the download repositories.
- Create a remote repository in Artifactory for downloading Frogbot. Name the repository frogbot and set its URL to https://releases.jfrog.io/artifactory/frogbot/v1/
- Depends on your agent's architecture and operating system, download Frogbot using curl:
curl -fLg "https://acme.jfrog.io/artifactory/frogbot/[RELEASE]/<arch>/frogbot" -H "Authorization: Bearer $JF_ACCESS_TOKEN" -o frogbot- frogbot-linux-386
- frogbot-linux-amd64
- frogbot-linux-arm
- frogbot-linux-arm64
- frogbot-linux-ppc64
- frogbot-linux-ppc64le
- frogbot-linux-s390x
- frogbot-mac-386
- frogbot-windows-amd64
For example:
curl -fLg "https://acme.jfrog.io/artifactory/frogbot/[RELEASE]/frogbot-linux-386/frogbot" -H "Authorization: Bearer $JF_ACCESS_TOKEN" -o frogbotWe welcome pull requests from the community. To help us improving this project, please read our contribution guide.