We have Artifactory and Xray for our developers and we have Azure DevOps pipelines integrated with these tools where the builds are scanned for each pipeline execution.
But when developers are doing local builds from their development workstations they also need to be scanned before merging to the repos in ADO.
So we are looking for some possibility where the developers are able to connect to Xray from their IDE client itself.
They are using IDEs like, Visual Studio and Visual Studio Code
need to Run the local builds of – NuGet, Maven, Gradle, Android, IOS, Nodes..
Can anyone suggest how this can be achieved from IDEs or CLIs like (jFrog CLI, or git bash, etc…)
2
Answers
You can use the JFrog VS Code Extension which allows you to scan project dependencies using JFrog Xray in VS Code.
It allows developers to view panels displaying vulnerability information about the components and their dependencies directly in their VS Code IDE. The extension also allows developers to track the status of the code while it is being built, tested and scanned on the CI server.
JFrog provides plugins for many popular IDEs (not only Visual Studio Code).
https://www.jfrog.com/confluence/display/JFROG/IDE+Integration
This works quite nice but project must be configured – e.g. Python packages must use virtual environment, for NodeJS it uses packages.json. You can mostly find vulnerable packages just before pushing anything to build tool.
VSC example view:
Another options is to use Jfrog CLI – here code is packed locally as tar file and send directly to Xray. Results are displayed in CLI. This is named "Scanning Files on the Local File System" and is rather used to already compiled software like docker containers, jar files etc.
https://www.jfrog.com/confluence/display/CLI/CLI+for+JFrog+Xray#CLIforJFrogXray-ScanningFilesontheLocalFileSystemScanningFiles
Another nice thing is that for personal use you can get free Artifactory + Xray cloud account and use this instance for vulnerability scans.