Automated scripts for scanning and tracking vulnerabilities in Docker artifacts using JFrog Xray.
This toolkit provides Bash scripts that interact with JFrog Xray REST API to:
- Scan Docker images for security vulnerabilities
- Fetch recent security violations sorted by update date
- Retrieve detailed CVE information with CVSS scores
- Generate JSON reports for further analysis
-
JFrog CLI - Command-line interface for JFrog Platform
- Download: jfrog.com/getcli
- Installation: Follow platform-specific instructions
-
jq - JSON processor for parsing API responses
# Ubuntu/Debian sudo apt-get install jq # macOS brew install jq # RHEL/CentOS sudo yum install jq
-
JFrog Xray Access
- Valid API key or access token
- Permissions to query Xray violations and events
-
Clone or download this repository:
git clone <repository-url> cd vulnerability-management-automatisation
-
Make scripts executable:
chmod +x *.sh -
Set your API key:
export API_KEY='your-jfrog-api-key-or-token'
Fetches the most recent vulnerabilities from JFrog Xray, sorted by last update.
Features:
- Configurable number of violations to fetch
- Automatic CVE enrichment for each violation
- Debug mode to preserve intermediate files
- Clean output (only final report by default)
Usage:
API_KEY='your-key' ./search-new-cves.sh [OPTIONS]Options:
--debug, -d- Enable debug mode (keep temporary files)--help, -h- Show help message
Environment Variables:
API_KEY(required) - JFrog API keyJFROG_URL(optional) - JFrog instance URL (default: https://bonitasoft.jfrog.io/)VIOLATIONS_NUMBER(optional) - Number of violations to fetch (default: 40)
Examples:
# Fetch 40 most recent vulnerabilities
API_KEY='your-key' ./search-new-cves.sh
# Fetch 100 vulnerabilities
VIOLATIONS_NUMBER=100 API_KEY='your-key' ./search-new-cves.sh
# Enable debug mode to keep intermediate files
API_KEY='your-key' ./search-new-cves.sh --debug
# Custom JFrog instance
JFROG_URL='https://your-instance.jfrog.io/' API_KEY='your-key' ./search-new-cves.shOutput:
- Default:
xray-reports/cves_details_YYYYMMDD_HHMMSS.json - Debug mode also keeps:
latest_violations_*.json,filtered_violations_*.json
All scripts generate JSON reports in the xray-reports/ directory.
[
{
"issue_id": "XRAY-12345",
"cve_id": "CVE-2024-1234",
"severity": "High",
"title": "Vulnerability Title",
"summary": "Brief description of the vulnerability",
"components": [
{
"component_id": "docker://image:tag",
"vulnerable_versions": ["1.0.0"]
}
],
"properties": {
"cvss_v3": "7.5",
"cwe": ["CWE-79"]
},
"impacted_artifacts": [...]
}
]Scripts primarily focus on high-severity vulnerabilities:
| Severity | Description | Default Behavior |
|---|---|---|
| Critical | Immediate action required | Included |
| High | Should be addressed promptly | Included |
| Medium | Moderate risk | Usually excluded |
| Low | Minor risk | Usually excluded |
Symptom:
Error: Failed to fetch violations from Xray API
Solutions:
- Verify API key is valid:
jf rt ping - Check API key permissions in JFrog Platform
- Ensure JFROG_URL is correct
- Try regenerating the API key
Symptom:
Error: JFrog CLI is not installed
Solution:
# Download and install JFrog CLI
curl -fL https://getcli.jfrog.io | sh
# Or use package manager
brew install jfrog-cli # macOS
# Verify installation
jf --versionSymptom:
./script.sh: line 85: jq: command not found
Solution:
# Ubuntu/Debian
sudo apt-get update && sudo apt-get install jq
# macOS
brew install jq
# Verify installation
jq --versionPossible causes:
- Component/image doesn't exist in Artifactory
- Xray hasn't indexed the artifact yet
- No vulnerabilities found (good news!)
- Component ID format is incorrect
Debug steps:
# 1. Verify artifact exists
jf rt search "repository/path/to/artifact"
# 2. Check Xray indexing status in UI
# Navigate to Xray → Indexed Resources
# 3. Run script with debug mode
API_KEY='key' ./search-new-cves.sh --debug
# 4. Examine intermediate files
cat xray-reports/latest_violations_*.json | jq '.'Symptom:
jq: error (at file.json:0): Cannot iterate over null (null)
Solution:
- Enable debug mode to see API responses
- Check that the API endpoint returned valid JSON
- Verify JFrog Xray version compatibility
scan_vulnerabilities:
stage: security
script:
- export API_KEY=$JFROG_API_KEY
- ./search-new-cves.sh
- |
if [ -f xray-reports/cves_details_*.json ]; then
echo "Vulnerabilities found:"
jq '.[] | "\(.severity): \(.cve_id)"' xray-reports/cves_details_*.json
fi
artifacts:
paths:
- xray-reports/
expire_in: 30 days
only:
- main
- merge_requestsname: Vulnerability Scan
on:
push:
branches: [main]
schedule:
- cron: '0 2 * * *' # Daily at 2 AM
jobs:
scan:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v3
- name: Install dependencies
run: |
sudo apt-get update
sudo apt-get install -y jq
curl -fL https://getcli.jfrog.io | sh
sudo mv jf /usr/local/bin/
- name: Scan for CVEs
env:
API_KEY: ${{ secrets.JFROG_API_KEY }}
run: ./search-new-cves.sh
- name: Upload scan results
uses: actions/upload-artifact@v3
with:
name: vulnerability-reports
path: xray-reports/
retention-days: 30xray-reports/
├── cves_details_20251003_105141.json # From search-new-cves.sh
├── vulnerability_report_20251003_110530.json # From jfrog-xray-scan.sh
├── cves_by_component_20251003_111245.json # From find-cves-by-component.sh
└── violations_docker___bonita_10.3.json # From get-cves-by-component.sh
For issues related to:
- JFrog Xray API: Consult official JFrog documentation or support
- JFrog CLI: See JFrog CLI GitHub repository
- These scripts: Open an issue in this repository
This project is licensed under the MIT License. See the LICENSE file for details.