-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
1 parent
d5a41a3
commit 03adc32
Showing
2 changed files
with
173 additions
and
0 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,116 @@ | ||
| # Advanced Security | ||
|
|
||
| **JFrog Advanced Security** is a robust security solution that protects software supply chains by providing **deep vulnerability analysis, exposure detection, and advanced threat intelligence**. Integrated with **JFrog Xray**, it enables developers and security teams to **identify, analyze, and remediate security risks** across the entire software development lifecycle. | ||
|
|
||
| ### **Where Xray Fits in the JFrog Security Timeline** | ||
|
|
||
|
|
||
|
|
||
| ## **Business Needs for JFrog Advanced Security** | ||
|
|
||
| **JFrog Advanced Security** addresses critical business needs by ensuring secure software development, supply chain protection, and regulatory compliance. | ||
|
|
||
| **Protecting the Software Supply Chain** | ||
|
|
||
| * Prevents **malicious code injection, dependency attacks, and misconfigurations** that could compromise the integrity of software. | ||
| * Identifies **vulnerabilities in open-source dependencies** before they become security risks. | ||
| * Ensures that all software artifacts are **secure from development to deployment**. | ||
|
|
||
| **Reducing Security Risks and False Positives** | ||
|
|
||
| * Uses **contextual analysis** to **eliminate false positives** and prioritize actual threats. | ||
| * Detects **secrets exposure (API keys, credentials, tokens) to prevent data leaks**. | ||
| * Scans for **insecure configurations** in applications, infrastructure, and services. | ||
|
|
||
| **Enforcing Compliance and Regulatory Requirements** | ||
|
|
||
| * Helps businesses adhere to **security standards like ISO 27001, NIST, SOC 2, GDPR, and more**. | ||
| * Automates security policies to **enforce best practices and compliance** across development teams. | ||
| * Provides **audit trails and reporting** for security assessments and regulatory needs. | ||
|
|
||
| **Enhancing DevSecOps and CI/CD Pipelines** | ||
|
|
||
| * Seamlessly integrates into DevOps workflows, enabling **continuous security scanning** without slowing down development. | ||
| * Offers **REST APIs** for embedding security checks into CI/CD pipelines. | ||
| * Allows security teams to **define policies** that automatically enforce secure development practices. | ||
|
|
||
| **Improving Operational Efficiency and Cost Savings** | ||
|
|
||
| * Reduces time spent on **manual vulnerability triage** by focusing on exploitable risks. | ||
| * Minimizes the risk of **costly breaches, downtime, and reputational damage**. | ||
| * Ensures security is **built-in from the start**, reducing remediation costs later in the SDLC. | ||
|
|
||
| **Supporting Cloud-Native and Hybrid Environments** | ||
|
|
||
| * Scans **Docker, Kubernetes, and cloud-based applications** for security vulnerabilities. | ||
| * Ensures **secure software delivery across multi-cloud and hybrid environments**. | ||
| * Detects risks in **infrastructure-as-code (IaC) configurations**. | ||
|
|
||
| ## **Purpose of JFrog Advanced Security** | ||
|
|
||
| ✔ **Secure the Software Supply Chain** – Prevent malicious code injection, dependency attacks, and misconfigurations. | ||
|
|
||
| ✔ **Detect and Remediate Vulnerabilities** – Identify security flaws in open-source dependencies, containers, and infrastructure. | ||
|
|
||
| ✔ **Eliminate False Positives with Contextual Analysis** – Prioritize real security threats by assessing exploitability within the artifact’s context. | ||
|
|
||
| ✔ **Prevent Secrets Exposure** – Detect leaked API keys, credentials, and sensitive data to avoid security breaches. | ||
|
|
||
| ✔ **Ensure Compliance with Industry Standards** – Automate security policies to meet **ISO 27001, SOC 2, NIST, GDPR, and other regulations**. | ||
|
|
||
| ✔ **Integrate Security into DevOps (DevSecOps)** – Embed security checks directly into CI/CD pipelines for **continuous security scanning**. | ||
|
|
||
| ✔ **Enable Automated Security Policies** – Define security rules to enforce best practices and prevent high-risk deployments. | ||
|
|
||
| ✔ **Reduce Operational Costs and Risk** – Minimize time spent on security triage, prevent costly breaches, and streamline remediation. | ||
|
|
||
| ✔ **Support Cloud-Native Security** – Scan **Docker, Kubernetes, and cloud environments** for misconfigurations and vulnerabilities. | ||
|
|
||
| ✔ **Enhance Software Quality and Reliability** – Ensure only **secure and compliant** artifacts move to production. | ||
|
|
||
| ## **Main Features** | ||
|
|
||
| General | ||
|
|
||
| * **Comprehensive Software Security** – Scans artifacts, repositories, and builds for security risks. | ||
| * **DevSecOps Integration** – Embeds security into CI/CD pipelines with minimal disruption. | ||
| * **REST API Support** – Enables automation of security scans, policy enforcement, and reporting. | ||
| * **Security Policy Enforcement** – Allows organizations to define and apply security rules automatically. | ||
| * **Regulatory Compliance** – Supports **ISO 27001, SOC 2, NIST, GDPR, and other standards**. | ||
|
|
||
| Software Composition Analysis (SCA) | ||
|
|
||
| * **Open Source Vulnerability Scanning** – Identifies risks in Maven, npm, PyPI, Go, Docker, and more. | ||
| * **License Compliance Management** – Detects and enforces policies for open-source license usage. | ||
| * **Dependency Analysis** – Scans direct and transitive dependencies for security risks. | ||
| * **Policy-Based Risk Management** – Defines security actions based on severity levels. | ||
|
|
||
| SBOM | ||
|
|
||
| * **SBOM Generation** – Provides a **detailed inventory of all software components** in an application. | ||
| * **Continuous SBOM Monitoring** – Keeps SBOM updated with new security insights. | ||
| * **Vulnerability Exposure Tracking** – Maps vulnerabilities to software components in real time. | ||
|
|
||
| *** | ||
|
|
||
| Advanced Vulnerability & Exposure Scanning | ||
|
|
||
| * **Contextual Analysis** – Reduces false positives by verifying **actual exploitability** within an artifact. | ||
| * **Exposure Scanning** – Detects **misconfigurations, weak authentication, and excessive privileges**. | ||
| * **Infrastructure-as-Code (IaC) Security** – Identifies risks in **Terraform, AWS, Azure, and GCP** configurations. | ||
| * **Application Security Scanning** – Scans Python, Node.js, and other applications for **insecure implementations**. | ||
| * **Secrets Detection** – Finds **leaked API keys, credentials, and private keys** in artifacts and repositories. | ||
|
|
||
| *** | ||
|
|
||
| Container & Cloud Security | ||
|
|
||
| * **Docker & OCI Image Scanning** – Identifies vulnerabilities in **containerized applications**. | ||
| * **Kubernetes Security** – Ensures **secure container deployments** and identifies misconfigurations. | ||
| * **Cloud Security Posture Management (CSPM)** – Detects misconfigurations in cloud environments. | ||
|
|
||
| Security Results & Remediation | ||
|
|
||
| * **Real-Time Security Dashboard** – Displays vulnerabilities, exposures, and remediation suggestions. | ||
| * **On-Demand Scanning** – Allows users to **scan specific artifacts or entire repositories**. | ||
| * **Violation Management & Suppression** – Enables users to **ignore false positives** and manage risks efficiently. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,2 +1,61 @@ | ||
| # Supported Technologies | ||
|
|
||
| ## **Supported Package Types for Vulnerability & Exposure Scanning** | ||
|
|
||
| | **Package Type** | **Supported in Xray Version** | | ||
| | ----------------------------------- | ----------------------------- | | ||
| | **Docker** | 3.59.4+ | | ||
| | **OCI (Open Container Initiative)** | 3.59.4+ | | ||
| | **Maven** | 3.78.9+ | | ||
| | **npm** | 3.78.9+ | | ||
| | **PyPI** | 3.78.9+ | | ||
| | **Gradle** | Supported | | ||
| | **Go Modules** | Supported | | ||
| | **Alpine** | Supported | | ||
| | **Debian** | Supported | | ||
| | **RPM** | Supported | | ||
| | **NuGet** | Supported | | ||
| | **RubyGems** | Supported | | ||
| | **Generic Artifacts** | Supported | | ||
|
|
||
| ## **Supported Technologies for Contextual Analysis** | ||
|
|
||
| | **Repository Type** | **Supported Languages Inside Containers** | **Supported Languages in Source Code Analysis** | | ||
| | ------------------- | --------------------------------------------------------------------------------- | ----------------------------------------------- | | ||
| | **Docker** | Java, Go, Python, JavaScript, TypeScript, Rust (Cargo), .NET, C/C++ (ELF), Kotlin | Java, Go, Python, JavaScript, TypeScript | | ||
| | **Maven** | Java (Uber JAR) | Java | | ||
| | **Gradle** | Java | Java | | ||
|
|
||
| **Notes:** | ||
|
|
||
| * **Maven support requires Xray 3.77.4+** (Uber JAR format). | ||
| * **Rust binaries require Xray 3.79.x+.** | ||
| * **.NET binaries require Xray 3.95.4+.** | ||
|
|
||
| ## **Supported Infrastructure-as-Code (IaC) Scanning** | ||
|
|
||
| | **Cloud Provider** | **Scanned Configurations** | | ||
| | ------------------ | --------------------------------------------------------------------------------------------- | | ||
| | **AWS** | IAM Policies, S3 Buckets, RDS, API Gateway, Lambda, EC2, ECS, CloudTrail, Kinesis, Glue, etc. | | ||
| | **Azure** | Storage Accounts, Key Vaults, Networking, Virtual Machines, RBAC, Logging, etc. | | ||
| | **Google Cloud** | IAM Policies, Cloud Storage, Kubernetes, Compute Engine, Cloud Functions, etc. | | ||
|
|
||
| *** | ||
|
|
||
| ## **Supported Services for Configuration Security Scanning** | ||
|
|
||
| | **Service** | **Common Security Issues Detected** | | ||
| | -------------- | ---------------------------------------------------------------- | | ||
| | **NGINX** | Insecure credentials, weak TLS settings, exposed admin interface | | ||
| | **Apache** | Weak authentication, missing HTTPS enforcement | | ||
| | **Envoy** | Misconfigured access policies, excessive privileges | | ||
| | **Etcd** | Unauthenticated access, weak crypto settings | | ||
| | **Prometheus** | Insecure endpoints, unauthorized access | | ||
|
|
||
| ## **Supported Secret Scanning** | ||
|
|
||
| | **Supported Platforms for Secrets Detection** | **Types of Secrets Detected** | | ||
| | --------------------------------------------------------------------------------------------- | ----------------------------------------------------------------- | | ||
| | JFrog Platform (Docker, Maven, npm, PyPI, NuGet, Gradle, RPM, Alpine, Go, RubyGems, Generic) | API Keys, Tokens, Private Keys, High Entropy Secrets, URL Secrets | | ||
| | Developer Tools (IDE Plugins, CLI, Git Hooks) | API Keys, Passwords, Credentials in Source Code | | ||
| | Cloud Services (AWS, Azure, GCP, GitHub, GitLab, npm, Slack, Terraform, Stripe, Twilio, etc.) | API Keys, Authentication Tokens, OAuth Secrets | |