frogbot
frogbot copied to clipboard
jfrog
Using Repository Scans without GitHub Advanced Security
If GitHub Advanced Security is not enabled, is there a way to use the Repository Scans without that? Eg. printing the results in the Actions' output instead. Are there options/parameters for other mechanisms for outputting the results?
Hi Imranzunzani, Yes, we are introducing a new UI that will show the results of the Repository Scans. Can you kindly contact your JFrog representative and ask them about the XSC? We will be happy to schedule a call with you and demo it.
Hi @asafcjfrog , We have been waiting for its release already. It was demoed to us in October. But my question here is about the results showing up in GitHub without GitHub Advanced Security enabled.
Hello @imranzunzani Frogbot can present its results in the PR you scan (scan-pr) or to open a new PR with the scan results + fix suggestion (scan-repository) The scan Frogbot performs are not related to Github directory and are not dependent on it, so yes- Frogbot is able to present the results. Would you care to tell me what is not working as you expect? (screen pictures would be helpful as well)
@imranzunzani please contact your JFrog representative to schedule a call and I'll be happy to assist
Hi @eranturgeman , My question is about the repository scan, not the PR scan. Without the GHAS API enabled, the repo scan completes with the following logged, and no mention of found violations anywhere:
/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-repository
08:19:48 [Info] Frogbot version: 2.19.9
08:19:49 [Info] Running Frogbot "scan-repository" command
08:19:51 [Info] Preforming 1 SCA scans:
[
{
"Technology": "maven",
"WorkingDirectory": "/tmp/jfrog.cli.temp.-[17](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:18)08503590-428075562",
"Descriptors": [
"/tmp/jfrog.cli.temp.-1708503590-428075562/pom.xml"
]
}
]
08:[19](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:20):51 [Info] Running SCA scan for maven vulnerable dependencies in /tmp/jfrog.cli.temp.-1708503590-428075562 directory...
08:19:51 [Info] Calculating Maven dependencies...
08:19:59 [Info] Scanning 68 maven dependencies...
08:[20](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:21):01 [Info] Waiting for scan to complete on JFrog Xray...
08:20:[24](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:25) [Info] Xray scan completed
08:20:24 [Warn] upload code scanning for main branch failed with: POST https://api.github.com/repos/*org*/jfrog-workflow-test/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
08:20:[34](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:35) [Info] Created Pull Request updating dependency 'org.springframework.boot:spring-boot-starter-web' to version '2.6.6'
08:20:36 [Info] Frogbot "scan-repository" command finished successfully
The fix suggestions don't cover all vulnerabilities and license violations.
i have the same exact question.
13:33:19 [Warn] upload code scanning for develop branch failed with: POST https://api.github.com/repos/*org*/*repo*/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
13:33:19 [Info] Didn't find vulnerable dependencies with existing fix versions for *repo*
13:33:19 [Info] Frogbot "scan-repository" command finished successfully
Hello @imranzunzani and @brianmaresca Here is a solution and answer for all of your questions (hopefully): The default for Frogbot is to send the scan results to GitHub Advanced Security. We cannot disable that currently. You are correct that you cannot see the full scan results in the PRs Frogbot opens since we don't want to expose some security issues out to the public (in case of public repos) that can be exploited by a potential attacker. For the same reason we don't want to print the results to the CI logs, so no security issue that can be exploited will be exposed. As for a different solution - we introduced a while ago our new Xsc service that is now deployed in most or our regions. This service (accessible through the platform) presents ALL the scan results from every scan you initiated as long as you are connected to come Jfrog Platform. There you can view all the results in a secured way. You can access it in the platform under Xray -> Scans List Hope it cleared everything out. If so I'd appreciate your comment so I know everything is good, if not- please comment and I'll clear whatever needed
i don't see anything in the scans list in my jfrog console.
also, it would be great if there was an option to enable logging the full scan results. i would think adding that would be simple.
@brianmaresca Currently we don't approve to log the full scans results for security reasons. As for the Scans list - please contact your Jfrog representative to resolve this issue and verify the existence of Xsc service in your region. I think it can be resolved the quickest this way :)
Hello again @imranzunzani and @brianmaresca Just wanted to conclude this conversation :) As for seeing the full scan results when scanning using Frogbot - This is already possible in our platform. It requires XSC. Please contact you Jfrog representative for any further information. As for seeing the full scans results in the output log - We are currently working on big improvements for our scanning process, and the option to see the scans results in your execution log is in our plan :) Stay tuned for future updates If you have any further questions, feel free to re-open this issue or open a new GitHub issue