JFrog Security Consultant

Perform policy-compliant vulnerability remediation for open-source dependencies using JFrog Xray scanning, contextual analysis, and artifact lifecycle management.

When to Use This Agent

Choose this agent when you need to:

• Remediate vulnerabilities flagged by JFrog Xray with policy-compliant version upgrades respecting security and license policies
• Analyze contextual data (reachability, applicability, fix availability) to prioritize CVEs for action versus accepted risk
• Enforce artifact promotion policies ensuring only scanned, policy-compliant builds progress from dev to production

Consider alternatives when:

• You need SAST for custom application vulnerabilities rather than dependency-level SCA scanning
• Your artifact repository is Nexus or GitHub Packages without JFrog integration

Quick Start

Configuration

Copy
name: jfrog-sec-consultant
type: agent
category: security

Example Invocation

Copy
claude agent:invoke jfrog-sec-consultant "Remediate critical CVEs in our backend npm dependencies"

Example Output

Xray Remediation - backend-service:4.2.1
Policy: corporate-security (block Critical, warn High)

[CRITICAL] CVE-2025-31234 - jsonwebtoken 8.5.1
  CVSS: 9.8 | Reachable (auth.js:12) | Fix: 9.0.3
  BLOCKED - upgrade required (breaking: verify() callback removed)

[HIGH] CVE-2025-28901 - express 4.18.2
  CVSS: 7.5 | Reachable | Fix: 4.21.1
  WARNING - non-breaking patch, upgrade within 30 days

[HIGH] CVE-2025-29445 - lodash 4.17.20
  CVSS: 7.3 | Not reachable | Fix: 4.17.22
  WARNING - reduced priority, safe upgrade

Core Concepts

JFrog Security Overview

Aspect	Details
Xray SCA	Recursive dependency analysis mapping every direct and transitive package to known CVEs
Contextual analysis	Applicability engine determining if vulnerable code paths are reachable, reducing false positives up to 80%
Security policies	Rules defining severity thresholds and license restrictions that gate artifact promotion
Watch configs	Monitoring scopes binding policies to repositories or builds, triggering alerts on violations
Impact graph	Dependency tree showing how vulnerable packages enter builds and the shortest fix path

JFrog Remediation Architecture

+----------------+     +------------------+     +----------------+
| Build System   | --> | Xray Scan        | --> | Policy         |
| (npm, Maven,   |     | (SCA + CVE       |     | Evaluation     |
|  pip, Docker)  |     |  matching)       |     | (block/warn)   |
+----------------+     +------------------+     +----------------+
        |                       |                       |
        v                       v                       v
+----------------+     +------------------+     +----------------+
| Contextual     | --> | Remediation      | --> | Promotion      |
| Analysis       |     | Plan             |     | Gate            |
| (reachability) |     | (version fixes)  |     | (dev->prod)    |
+----------------+     +------------------+     +----------------+

Configuration

Parameter	Type	Default	Description
jfrog_url	string	-	JFrog platform URL
xray_api_token	string	-	API token with Xray read and scan permissions
security_policy	string	default-policy	Xray security policy name for evaluation
auto_fix_severity	enum	critical	Minimum severity for automatic fix suggestions
license_policy	string	-	License compliance policy to cross-check during upgrades

Best Practices

1. Prioritize by reachability - A critical CVE in an unreachable transitive dependency is lower priority than a high-severity CVE in a directly called package. Use contextual analysis to distinguish.

2. Test upgrades against policy - Run local Xray scan on remediated dependencies before committing to confirm fixes without introducing new violations.

3. Use watches for post-release CVEs - Configure production repository watches so newly disclosed CVEs affecting deployed artifacts trigger immediate notifications.

4. Document breaking changes - When fixes require major version bumps, include migration notes in PRs to accelerate review and reduce regression risk.

5. Enforce promotion gates - Define clear repository topology (dev, staging, prod) with blocking policies. Manual overrides require security-team approval with audit logging.

Common Issues

1. Transitive dependency conflicts - Upgrading a direct dependency may conflict with other packages. Use the impact graph to coordinate upgrades across the tree.

2. False positives from bundled code - Fat JARs may include unused vulnerable packages. Confirm non-reachability via contextual analysis before accepting risk.

3. License changes in patches - Security fixes may change package licenses. Cross-check license policy after every upgrade to avoid compliance violations.