JFrog Frog Bot

Overview

JFrog Frogbot is a Git bot that scans your Git repositories for security vulnerabilities. It has a few features:

It can scan pull requests after they are opened, but not after they are merged. This allows for vulnerabilities to be picked up in the code before it can be introduced into the codebase.
It can also scan the Git repository and can create pull requests with fixes for the detected vulnerabilities.

Frogbot supports the following: - Azure Repos - Bitbucket Server - GitHub - GitLab

Supported Technologies

Feature	Go	Maven	npm	Yarn v1-v3	Pip	Pipenv	Poetry	.NET CLI	NuGet	Terraform	Gradle	Pnpm
SCA	✅	✅	✅	✅	✅	✅	✅	✅	✅	❌	✅	✅
Contextual Analysis	Coming Soon	✅	✅	✅	✅	✅	✅	Coming Soon	Coming Soon	❌	✅	✅
Secrets Detection	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
SAST	Beta	✅	✅	✅	✅	✅	✅	Roadmap	Roadmap	❌	✅	✅
Infrastructure as Code (IaC)	❌	❌	❌	❌	❌	❌	❌	❌	❌	✅	❌	❌
PR Scan	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
Monitor Scan	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅	✅
Autofix with new PR for direct dep.	✅	✅	✅	✅	✅	✅	✅	✅	✅	❌	✅	✅
License Violations	✅	✅	✅	✅	✅	✅	✅	✅	✅	❌	✅	✅

Pull Request Scanning

Successful Example

If the pull request has no vulnerabilities then Frogbot will leave a comment indicating success.

Failed Example

If the pull request has vulnerabilities then Frogbot will leave detailed comments detailing its findings.

Setup and Installation

Expand the arrows for sample code. NOTE: FrogBot currently does not support Azure Service Connections, you will need to authenticate through the pipeline and environment variables.

Predefined Azure Pipelines variables. There's no need to modify them.

  JF_GIT_PROJECT: $(System.TeamProject)
  JF_GIT_REPO: $(Build.Repository.Name)
  JF_GIT_API_ENDPOINT: $(System.CollectionUri)
  JF_GIT_BASE_BRANCH: $(Build.SourceBranchName)
  JF_GIT_OWNER: $(System.TeamProject)
  JF_GIT_PROVIDER: 'azureRepos'

Azure Pipelines

Scanning repository branches and fixing issues

``` pool: vmImage: ubuntu-latest variables: JF_GIT_PROJECT: $(System.TeamProject) JF_GIT_REPO: $(Build.Repository.Name) JF_GIT_API_ENDPOINT: $(System.CollectionUri) JF_GIT_BASE_BRANCH: $(Build.SourceBranchName) JF_GIT_OWNER: $(System.TeamProject) JF_GIT_PROVIDER: 'azureRepos' jobs: - job: displayName: "Frogbot Scan Repository and Fix" steps: - task: CmdLine@2 displayName: 'Download and Run Frogbot' env: JF_URL: $(JF_URL) JF_ACCESS_TOKEN: $(JF_ACCESS_TOKEN) JF_GIT_TOKEN: $(JF_GIT_TOKEN) # [Optional Parameters] # JF_USER: $JF_USER # JF_PASSWORD: $JF_PASSWORD # JF_RELEASES_REPO: "" # JF_INSTALL_DEPS_CMD: "" # JF_WORKING_DIR: maven # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*" # JF_WATCHES: ,... # JF_PROJECT: # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE" # JF_AVOID_PREVIOUS_PR_COMMENTS_DELETION: "TRUE" # JF_FAIL: "FALSE" # JF_REQUIREMENTS_FILE: "" # JF_USE_WRAPPER: "FALSE" # JF_DEPS_REPO: "" # JF_BRANCH_NAME_TEMPLATE: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}" # JF_COMMIT_MESSAGE_TEMPLATE: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}" # JF_PULL_REQUEST_TITLE_TEMPLATE: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}" # JF_GIT_AGGREGATE_FIXES: "FALSE" # JF_FIXABLE_ONLY: "TRUE" # JF_MIN_SEVERITY: "" # JF_GIT_EMAIL_AUTHOR: "" # JF_ALLOWED_LICENSES: "MIT, Apache-2.0" # JF_AVOID_EXTRA_MESSAGES: "TRUE" # JF_PR_COMMENT_TITLE: "" inputs: script: | getFrogbotScriptPath=$(if [ -z "$JF_RELEASES_REPO" ]; then echo "https://releases.jfrog.io"; else echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}"; fi) curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh ./frogbot cfpr ```

Scanning pull requests

pool:
  vmImage: ubuntu-latest

variables:
  JF_GIT_PULL_REQUEST_ID: $(System.PullRequest.PullRequestId)
  JF_GIT_PROJECT: $(System.TeamProject)
  JF_GIT_REPO: $(Build.Repository.Name)
  JF_GIT_API_ENDPOINT: $(System.CollectionUri)
  JF_GIT_BASE_BRANCH: $(System.PullRequest.TargetBranchName)
  JF_GIT_OWNER: $(System.TeamProject)
  JF_GIT_PROVIDER: 'azureRepos'

jobs:
  - job:
      displayName: "Frogbot Scan Pull Request"
      steps:
        - task: CmdLine@2
          displayName: 'Download and Run Frogbot'
          env:
            JF_URL: $(JF_URL)
            JF_ACCESS_TOKEN: $(JF_ACCESS_TOKEN)
            JF_GIT_TOKEN: $(JF_GIT_TOKEN)
            # [Optional Parameters]
            # JF_USER: $JF_USER
            # JF_PASSWORD: $JF_PASSWORD
            # JF_RELEASES_REPO: ""
            # JF_SMTP_SERVER: ""
            # JF_SMTP_USER: ""
            # JF_SMTP_PASSWORD: ""
            # JF_WORKING_DIR: path/to/project/dir
            # JF_PATH_EXCLUSIONS: "*.git*;*node_modules*;*target*;*venv*;*test*"
            # JF_WATCHES: <watch-1>,<watch-2>...<watch-n>
            # JF_PROJECT: <project-key>
            # JF_INCLUDE_ALL_VULNERABILITIES: "TRUE"
            # JF_FAIL: "FALSE"
            # JF_DEPS_REPO: ""
            # JF_FIXABLE_ONLY: "TRUE"
            # JF_MIN_SEVERITY: ""
            # JF_EMAIL_RECEIVERS: ""
            # JF_ALLOWED_LICENSES: "MIT, Apache-2.0"
            # JF_AVOID_EXTRA_MESSAGES: "TRUE"
            # JF_PR_COMMENT_TITLE: ""
          inputs:
            script: |
              getFrogbotScriptPath=$(if [ -z "$JF_RELEASES_REPO" ]; then echo "https://releases.jfrog.io"; else echo "${JF_URL}/artifactory/${JF_RELEASES_REPO}"; fi)
              curl -fLg "$getFrogbotScriptPath/artifactory/frogbot/v2/[RELEASE]/getFrogbot.sh" | sh
              ./frogbot spr

Frogbot Configuration

Advanced configutations can be made to Frogbot by creating a frogbot-config.yml file.

This file is not mandatory. This file can include details about the repository's directory structure. This can include package manager commands that can be necessary for Frogbot to scan a project's dependencies.

Frogbot-config.yml Template

The config file should be located in the following path relative to the root of the repo: .frogbot/frogbot-config.yml

frogbot-config.yml

``` # The "params" section includes the configuration of a single Git repository that needs to be scanned. # For Azure Repos, Bitbucket Server and GitHub with JFrog Pipelines or Jenkins, you can define multiple "params" sections one after the other, for scanning multiple # Git repositories in the same organization. - params: # Git parameters git: # [Mandatory] # Name of the git repository to scan repoName: repo-name # [Mandatory] # List of branches to scan branches: - master # [Optional] # Template for the branch name generated by Frogbot when creating pull requests with fixes. # The template must include ${BRANCH_NAME_HASH}, to ensure that the generated branch name is unique. # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables. # branchNameTemplate: "frogbot-${IMPACTED_PACKAGE}-${BRANCH_NAME_HASH}" # [Optional] # Template for the commit message generated by Frogbot when creating pull requests with fixes # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables. # commitMessageTemplate: "Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}" # [Optional] # Template for the pull request title generated by Frogbot when creating pull requests with fixes. # The template can optionally include the ${IMPACTED_PACKAGE} and ${FIX_VERSION} variables. # pullRequestTitleTemplate: "[🐸 Frogbot] Upgrade ${IMPACTED_PACKAGE} to ${FIX_VERSION}" # [Optional, Default: false] # If true, Frogbot creates a single pull request with all the fixes. # If false, Frogbot creates a separate pull request for each fix. # aggregateFixes: false # [Optional, Default: eco-system+frogbot@jfrog.com] # Set the email of the commit author # emailAuthor: "" # Frogbot scanning parameters scan: # [Default: false] # Frogbot displays all existing vulnerabilities, including the ones that were not added by the pull request # includeAllVulnerabilities: true # [Default: false] # When adding new comments on pull requests, keep old comments that were added by previous scans. # avoidPreviousPrCommentsDeletion: true # [Default: true] # Frogbot does not fail the task if security issues are found and this parameter is set to false # failOnSecurityIssues: false # [Default: false] # Handle vulnerabilities with fix versions only # fixableOnly: true # [Optional] # Set the minimum severity for vulnerabilities that should be fixed and commented on in pull requests # The following values are accepted: Low, Medium, High or Critical # minSeverity: "" # [Optional] # List of email addresses to receive emails about secrets that has been detected in a pull request scan. # Applies only to servers that are entitled to JFrog Advanced Security. # emailReceivers: # - user@company.com # List of subprojects / project dirs inside the Git repository projects: # [Mandatory if the two conditions below are met] # 1. The project uses yarn 2, NuGet or .NET Core to download its dependencies # 2. The `installCommand` variable isn't set in your frogbot-config.yml file. # # The command that installs the project dependencies (e.g "nuget restore") # - installCommand: "" # [Default: root directory] # List of relative path's to the projects directories in the git repository. If left empty (without providing "." yourself as the root directory's path), a recursive scan is triggered from the root directory of the project. # workingDirs: # - "." # [Default: ["*.git*", "*node_modules*", "*target*", "*venv*", "*test*"]] # List of exclusion patterns (utilizing wildcards) for excluding paths in the source code of the Git repository during SCA scans. # pathExclusions: # - "*node_modules*" # - "*target*" # - "*venv*" # - "*test*" # [Mandatory for pip only if using requirements file, Default: pip install .] # The requirements file name that is used to install dependencies in case of pip package manager # pipRequirementsFile: "" # [Default: true] # Use Gradle Wrapper (gradlew/gradlew.bat) to run Gradle # useWrapper: true # [Optional] # Name of a Virtual Repository in Artifactory to resolve (download) the project dependencies from # repository: "" # JFrog Platform parameters jfrogPlatform: # [Optional] # JFrog project key. # jfrogProjectKey: "" # [Optional] # Xray Watches. # watches: # - "" ```