JFrog today introduced its fourth and newest product, JFrog Xray, which gives organizations unprecedented visibility into the contents of software components. The announcement – made at swampUP, JFrog’s annual user conference – represents a major advancement in improving development and DevOps and InfoSec teams’ effectiveness, and accelerating the continuous delivery (CD) pipeline.
JFrog Xray is the first universal impact analysis product, giving organizations an unparalleled level of understanding about all of their container images, software packages and binary artifacts, even with the huge volume and variety of components that development teams share in the software build and distribution process.
JFrog Xray is the only product on the market that provides radical transparency into every component an organization has ever used. It includes:
- Impact analysis that indicates how production and continuous integration (CI) environments are impacted
- A full dependencies graph on which users can easily zoom in to find vulnerability or compliance issues
- An open API that enables integration with all current and future types of component-scanning technology to allow custom scanning capabilities for performance, quality, popularity or any other criteria required
- A universal solution that integrates with vulnerability and license compliance databases such as VersionEye, Black Duck and WhiteSource
- Powerful integration with a user’s registry and repository to allow full sync through all the CI/CD flow
Through tight integration with JFrog Artifactory and access to the exhaustive metadata that Artifactory indexes, JFrog Xray is in a unique position to analyze the relationships between binary artifacts across an entire organization and the impact that one component has on any other. In addition to security vulnerabilities, JFrog Xray can also analyze the potential impact of performance issues or architectural changes.
“JFrog Xray responds to a profound pain of our users and the entire software development community with an infinitely expandable way to know everything about every component they’ve ever used in a software project – from build to production to distribution,” said Shlomi Ben Haim, co-founder and CEO of JFrog. “While container technology revolutionized the market and the way people distribute software packages, it is still a ‘black hole’ that always contains other packages and dependencies. The Ops world has a real need for full visibility into these containers, plus an automated way to point out changes that will impact their production environment. With JFrog Xray, you can not only scan your container images but also track all dependencies in order to avoid vulnerabilities and optimize your CI/CD flow.”
JFrog Xray is a fully automated platform with a powerful REST API, allowing integration and automation with an organization’s CI/CD pipeline, and enabling other inspection and security tools to fit into the full build-to- production automated flow.
JFrog Xray includes the VersionEye technology and database. VersionEye, a startup company based in Mannheim, Germany, improves developer productivity through a system that tracks open source libraries and alerts developers in real time to key information such as security vulnerabilities, license violations and outdated dependencies.
“VersionEye technology monitors over a million open source projects on a daily basis,” said Robert Reiz, CEO and co-founder of VersionEye. “Integrating the VersionEye technology with the JFrog platform creates an unparalleled capability for deep understanding of the quality and provenance of the software components organizations depend on. JFrog has leveraged its Universal approach, supporting all type of components, into a leadership position with its artifact repository and addresses a real community pain with JFrog Xray. We are excited to be part of the solution.”
The technology solves a critical problem for companies as they increase their use of container technology and make open source a mainstay of their development strategies. With so many open source components available, it has become extremely difficult, if not impossible, for application builders to know pertinent information about each one and avert security issues, such as the Heartbleed bug in the popular OpenSSL cryptographic software library that put user passwords on many popular websites at risk.