JFrog Xray Review 2026: Binary-Level SCA

Name: JFrog Xray
Availability: OnlineOnly

JFrog Xray is a binary-level SCA tool that scans the actual artifacts stored in JFrog Artifactory. The Sonatype 2024 State of Software Supply Chain report found that one in eight open-source downloads contains a known vulnerability, making artifact-level scanning before deployment a critical control. Instead of analyzing source code or manifest files, Xray examines compiled binaries, Docker images, and packaged artifacts to find vulnerabilities, license violations, and malicious components.

JFrog Xray dashboard showing artifact security scan results with vulnerability details and policy violations

The tool recursively scans every layer and dependency within an artifact. For a Docker image, that means the base image, every build layer, and all installed packages. For a Java application, it traces through nested JARs and their transitive dependencies. This catches vulnerabilities that source-level scanners miss because it analyzes what actually gets deployed.

What is JFrog Xray?

Xray scans artifacts in Artifactory against vulnerability databases including the NVD, GitHub Advisories, and JFrog’s own security research. It maintains a database of over 4 million known malicious packages and supports virtually every package type: Docker, npm, Maven, PyPI, NuGet, Go, Cargo, and more.

Deep Recursive Scanning

Analyzes the complete dependency graph of every artifact, tracing through all layers and transitive dependencies. Catches vulnerabilities hidden in nested components that surface-level scanning misses.

Impact Analysis

When a new CVE drops, instantly shows every artifact, build, and deployment affected across your entire Artifactory instance. Turns incident response from manual log searches into a single query.

Policy-Based Gates

Configurable policies block downloads, fail builds, or trigger alerts based on CVE severity, specific CVE IDs, license types, CVSS scores, and component age. Enforces standards automatically.

Key features

Supported artifact types

Artifact type	Package formats
Java	Maven (JAR, WAR, EAR), Gradle
JavaScript	npm, yarn
Python	PyPI (wheel, sdist)
Go	Go modules
.NET	NuGet
Ruby	RubyGems
PHP	Composer
Rust	Cargo
C/C++	Conan
Containers	Docker, OCI, Helm charts
OS packages	Alpine (APK), Debian (DEB), RPM
Generic	ZIP, TAR, binaries

Deep recursive scanning

JFrog Xray scan results showing recursive dependency analysis with CVE details and severity levels

Xray analyzes the complete dependency graph of every artifact. For Docker images, it examines the base image, every layer added during build, and all packages installed at each stage. For Java applications, it traces through nested JARs and their transitive dependencies.

A common scenario: a direct dependency that itself depends on a vulnerable library. Without recursive scanning, this stays hidden until someone exploits it.

Impact analysis

When a new vulnerability is disclosed, Xray’s impact analysis shows every affected artifact along with all builds, releases, and deployments that depend on those artifacts. This turns incident response from digging through build logs into an instant query across your entire repository.

Policy-based security gates

Xray policies enforce security standards automatically. Rules can be based on CVE severity thresholds, specific CVE IDs (e.g., always block Log4Shell), license types (e.g., no GPL in commercial products), CVSS scores, or component age. When an artifact violates a policy, Xray can block downloads, fail builds, trigger alerts, or fire webhooks.

License compliance

Xray identifies licenses on all components in your software, helping legal and compliance teams understand obligations from open-source dependencies. Policies prevent accidental inclusion of components with incompatible licenses.

Installation

JFrog Xray runs as part of the JFrog Platform and requires JFrog Artifactory.

Deployment options include:

Cloud (JFrog SaaS)

The fastest path to getting started.

JFrog manages infrastructure, updates, and scaling.

# No installation required - configure via UI or API
# Access at https://your-instance.jfrog.io

Self-Hosted (Docker)

# Pull the Xray Docker images
docker pull releases-docker.jfrog.io/jfrog/xray-server:latest
docker pull releases-docker.jfrog.io/jfrog/xray-indexer:latest
docker pull releases-docker.jfrog.io/jfrog/xray-analysis:latest
docker pull releases-docker.jfrog.io/jfrog/xray-persist:latest

# Run using Docker Compose (recommended)
# Download docker-compose.yaml from JFrog documentation
docker-compose -f docker-compose.yaml up -d

Helm (Kubernetes)

# Add JFrog Helm repository
helm repo add jfrog https://charts.jfrog.io
helm repo update

# Install Xray (requires existing Artifactory)
helm upgrade --install xray jfrog/xray \
  --namespace jfrog \
  --set xray.joinKey=<your-join-key> \
  --set xray.jfrogUrl=https://artifactory.example.com

Integration

GitHub Actions

name: Build and Scan
on: [push, pull_request]

jobs:
  build-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Setup JFrog CLI
        uses: jfrog/setup-jfrog-cli@v4
        with:
          version: latest
        env:
          JF_URL: ${{ secrets.JF_URL }}
          JF_ACCESS_TOKEN: ${{ secrets.JF_ACCESS_TOKEN }}

      - name: Build and publish
        run: |
          jf rt build-add-dependencies my-build 1 "target/*.jar"
          jf rt upload "target/*.jar" libs-release-local/
          jf rt build-publish my-build 1

      - name: Scan for vulnerabilities
        run: |
          jf audit --watches "prod-security-policy"

      - name: Scan Docker image
        run: |
          jf docker scan myapp:${{ github.sha }}

GitLab CI

stages:
  - build
  - scan
  - deploy

variables:
  JFROG_CLI_BUILD_NAME: "my-app"
  JFROG_CLI_BUILD_NUMBER: "$CI_PIPELINE_ID"

scan:
  stage: scan
  image: releases-docker.jfrog.io/jfrog/jfrog-cli-v2:latest
  script:
    - jf config add --url=$JF_URL --access-token=$JF_ACCESS_TOKEN
    - jf rt download "libs-snapshot-local/*.jar" ./target/
    - jf audit --fail=true --min-severity=High
  rules:
    - if: $CI_PIPELINE_SOURCE == "merge_request_event"

Jenkins Pipeline

pipeline {
    agent any

    stages {
        stage('Build') {
            steps {
                rtServer (
                    id: "ARTIFACTORY_SERVER",
                    url: "${ARTIFACTORY_URL}",
                    credentialsId: "artifactory-credentials"
                )
                rtMavenDeployer (
                    id: "MAVEN_DEPLOYER",
                    serverId: "ARTIFACTORY_SERVER",
                    releaseRepo: "libs-release-local",
                    snapshotRepo: "libs-snapshot-local"
                )
                rtMavenRun (
                    pom: 'pom.xml',
                    goals: 'clean install',
                    deployerId: "MAVEN_DEPLOYER"
                )
            }
        }

        stage('Xray Scan') {
            steps {
                xrayScan (
                    serverId: "ARTIFACTORY_SERVER",
                    buildName: "${JOB_NAME}",
                    buildNumber: "${BUILD_NUMBER}",
                    failBuild: true
                )
            }
        }
    }
}

Setup

Choose deployment – Select JFrog Cloud (SaaS) for fastest setup, or self-hosted via Docker/Helm for on-premises control.

Connect to Artifactory – Xray requires Artifactory. Configure the connection and select which repositories to index.

Define policies – Create security and license policies with severity thresholds, specific CVE blocks, and license restrictions.

Enable scanning – Set up watches on repositories, builds, or release bundles to trigger automatic scanning.

When to use JFrog Xray

Xray is the right choice when you already use Artifactory and want security scanning tightly integrated with your artifact management. It scans what actually gets deployed, not just what’s in source code.

Strengths:

Binary-level analysis of actual deployment artifacts
4M+ malicious package detection database
Impact analysis across your entire artifact repository
Policy gates that block vulnerable downloads
Supports virtually every package type

Limitations:

Requires JFrog Artifactory (not standalone)
Commercial only, no free tier
Heavier setup compared to CLI-based scanners

Best for

Teams using JFrog Artifactory who need binary-level security scanning integrated with their artifact management. Xray ensures what you test is what you ship.

How it compares:

vs.	Key difference
Snyk Open Source	Snyk scans source manifests and offers automated fix PRs. Xray scans compiled artifacts in Artifactory with binary-level analysis.
Sonatype Lifecycle	Both offer repository-level scanning. Sonatype has its own repository manager; Xray is built for the JFrog ecosystem.
Grype	Grype is a free CLI scanner without artifact management integration. Xray adds policy enforcement and impact analysis tied to Artifactory.

Learn more in our guides on What is SCA? and software supply chain security.

Frequently Asked Questions

What is JFrog Xray?

JFrog Xray is a binary-level SCA tool that scans compiled artifacts stored in JFrog Artifactory for security vulnerabilities, license risks, and malicious packages. It recursively analyzes all layers and dependencies of Docker images, JAR files, npm packages, and other artifact types.

Does JFrog Xray require Artifactory?

Yes, Xray runs as part of the JFrog Platform and requires Artifactory. It scans artifacts stored in Artifactory repositories, which is what enables binary-level analysis of what actually gets deployed rather than just source code.

How does Xray's impact analysis work?

When a new CVE is disclosed, Xray immediately identifies every artifact in your Artifactory instance that contains the affected component. It traces through builds, releases, and deployments to show your complete exposure across the organization.

Is JFrog Xray free?

JFrog Xray requires a Pro X, Enterprise X, or Enterprise+ subscription. There is no free tier, though JFrog offers a free cloud trial. For free SCA alternatives, consider Grype, OWASP Dependency-Check, or Trivy.