JFrog Visual Studio Code Extension
Table of Contents
The cost of remediating a vulnerability is akin to the cost of fixing a bug. The earlier you remediate a vulnerability in the release cycle, the lower the cost. JFrog Xray is instrumental in flagging components when vulnerabilities are discovered in production systems at runtime, or even sooner, during the development.
The JFrog VS Code Extension adds JFrog Xray scanning of npm, Go and Python project dependencies to your VS Code IDE. It allows developers to view panels displaying vulnerability information about the components and their dependencies directly in their VS Code IDE. With this information, a developer can make an informed decision on whether to use a component or not before it gets entrenched into the organization’s product.
Viewing Project Dependencies Information
View the dependencies used by the project in a tree, where the direct dependencies are at the top:
The JFrog extension automatically triggers a scan of the project's npm dependencies whenever a change in the package-lock.json file is detected. To invoke a scan manually, click on the Refresh button or click on Start Xray Scan from within the editor:
View existing issues:
View licenses directly from within the package.json, requirements.txt or go.mod:
View additional information about a dependency:
View dependency in package.json, requirements.txt or go.mod:
Search for a dependency in the tree:
To filter scan results, click on the Filter button:
Configuring JFrog Xray
Connect to JFrog Xray by clicking on the green Connect button:
If your JFrog Xray instance is behind an HTTP/S proxy, follow these steps to configure the proxy server:
If your proxy server requires credentials, follow these steps:
Exclude Paths from Scan
By default, paths containing the words
To open the extension settings, use the following VS Code menu command:
Behind the scenes, the extension builds the npm dependencies tree by running
Important: To have your project dependencies scanned by JFrog Xray, make sure the npm CLI is installed on your local machine and that it is in your system PATH. In addition, the project dependencies must be installed using npm.
Behind the scenes, the extension builds the Go dependencies tree by running
Behind the scenes, the extension builds the Pypi dependencies tree by running
View the extension log:
The extension is licensed under Apache License 2.0.
Building and Testing the Sources
To build the extension sources, please follow these steps:
After the build finishes, you'll find the vsix file in the jfrog-vscode-extension directory. The vsix file can be loaded into VS-Code
To run the tests:
We welcome community contribution through pull requests.