On Monday, JFrog announced details of JFrog Xray, a product that delivers deep transparency into artifacts stored within the JFrog Artifactory repository. JFrog Xray performs binary-level analysis of JFrog artifacts to facilitate detection of security vulnerabilities. In addition, the product performs impact analysis that elaborates dependencies between container images and their constituent software applications and binary artifacts. JFrog Xray’s ability to deliver granular visibility into dependencies between binary artifacts used by an organization means that JFrog Artifactory customers can swiftly understand the scope of security vulnerabilities that may originate with one artifact and have an ancillary effect on other artifacts. As such, JFrog Xray tackles the problem of the “black box” related to the contents of a container and its potential impact on the IT infrastructure of an organization. Customers can further leverage JFrog’s Xray’s ability to map dependencies between artifacts to understand performance and architectural effects related to the impact of changes in one artifact on other components and applications.
Shlomi Ben Haim, CEO of JFrog, commented on the innovation of JFrog Xray as follows:
JFrog Xray responds to a profound pain of our users and the entire software development community for an infinitely expandable way to know everything about every component they’ve ever used in a software project – from build to production to distribution. While container technology revolutionized the market and the way people distribute software packages, it is still a ‘black hole’ that always contains other packages and dependencies. The Ops world has a real need to have full visibility into these containers plus an automated way to point out changes that will impact their production environment. With JFrog Xray, you can not only scan your container images but also to track all dependencies in order to avoid vulnerabilities and optimise your CI/CD flow.
With these remarks, Shlomi Ben Haim highlights the ability of JFrog Xray to penetrate the black hole specific to container technology and their contents. The graphic below illustrates the platform’s ability to map an impact path and enumerate affected artifacts via a custom notification generated by the “Performance Alerts” application:
JFrog Xray plays in the same space as Docker’s Security Scanning platform but claims competitive differentiation from Docker’s binary level scanning technology as a result of its advanced ability to map dependencies between artifacts and subsequently deliver a comprehensive impact analysis. JFrog Xray will be generally available as of June 30, 2016.