JFrog Xray Reviews

I work with JFrog Xray. I use JFrog as an Artifactory registry and package registry.

In JFrog Xray, there are many artifactories. I can configure tokens for each repository and give access to specific repositories which is very valuable. For example, we have three to four developers who want to push their images in the artifact. I can restrict specific developers to push images and give access to specific repositories. JFrog Xray also allows us to create NuGet packages, which other Artifactories do not provide.

With Xray, when I have uploaded images for multiple architecture images, I can use it to figure out which architecture I have built the image and pushed into JFrog. For example, when deploying our application in Kubernetes, we have two node groups for AMD architecture and ARM architecture images. Building images in ARM is less costly than AMD. It bifurcates so if we want to deploy images from the ARM architecture, we can deploy only the ARM specific images. We don't have to create for AMD as well. From Xray, I can determine which images are ARM architecture builds and AMD architecture builds.

I exclusively used the official documentation of JFrog Xray.

For JFrog Xray, the Artifactory and package repositories are valuable features.

There are many benefits from JFrog Xray. For example, with other registries such as ECR, we can use the images only in the AWS cloud. With JFrog, we can use this registry from any cloud or work locally as well. JFrog can support multiple packages, such as NuGet package, pip, and other technologies. It can be used for Terraform as well. The credential management is very easy in JFrog.

For instance, when using GitHub action as a CI/CD tool, I just need to create a token and set up JFrog CLI there and give access to the repository. With multiple repositories, I can generate a token for a specific repository, add that token in the GitHub secret, fetch from the CI/CD, run the command JFrog CLI, and authenticate through the token. Then we can push the images into JFrog.

The UI of JFrog Xray could be improved. There is a dialogue box in the Xray section that doesn't always work properly. When we have given a very long tag, it doesn't work as expected and requires excessive scrolling.

I have been working with JFrog Xray for one year.

I didn't use JFrog Xray metrics and dashboards. I have worked on JFrog only to store images and packages.

From a security perspective, JFrog Xray is very good. I use JFrog Xray primarily for security purposes, and I find it reliable. I haven't faced any security issues so far.

According to my use case, it is highly scalable. Whatever JFrog Xray is providing me currently meets my needs, and I don't have any drawbacks using JFrog.

I didn't interact with the customer services of JFrog Xray because my admin person handles everything.

Positive

I only explored JFrog Artifactory and ECR for the AWS cloud. I haven't explored other Artifactory sections.

I don't have the admin access of JFrog Artifactory for JFrog Xray, so I didn't set it up myself. My colleague set up the JFrog Artifactory for me.

It is affordable because JFrog Xray provides a free trial of 14 days. We can explore all the features of JFrog in the free trial. The pricing is reasonable because we can manage all the images in a single place.

According to my use case, it is highly scalable. I don't think there are any drawbacks to using Xray as of now.

Some things are a bit difficult to find, but on a scale of 1-10, I would rate it seven to eight. This rating is based on my limited use of JFrog Xray, as there must be more features that I haven't explored yet.

My overall rating for JFrog Xray is 7 out of 10.

For JFrog Xray product, you can use it for two main goals: compliance and security. You can use it to check if your licenses are compliant, and you can check if your dependencies you want to use are malicious or dangerous or reliable, these kinds of things. It's a software to protect you from threats and to define the level of risk you're willing to take.

What I admire about JFrog Xray is that it says what it's supposed to do. I haven't tested any competitor, so it does the job for me.

I am utilizing the deep scanning capabilities in JFrog Xray product, and this feature is very handy because with other software, you don't know where the bad dependencies come from. JFrog Xray is accurate about this.

The policy-driven approach of JFrog Xray helped me maintain security standards by integrating it in the development pipeline. I get the information from the architect or security team and use the predefined rules a lot. Most of the licenses are already configured in JFrog Xray, and it's able to find most - I think it finds 300 something different licenses.

I would assess the integration of JFrog Xray with CI/CD tools as the weak point. You have two means to do that: one is using the API, or the other is using the command line from JFrog. That part is a bit of a sensitive topic because somehow you need to adapt your GitLab pipeline and turn them into JFrog pipeline, and this is something they don't really advertise at first—you're obliged to use the JFrog CLI.

Apart from this integration aspect, JFrog Xray does the job, but the user experience is not very good. The documentation is really poor. It's not the design; it's not user-friendly at all. You can't find the items in the menus. I think the UI needs improvement. It's not user-friendly, but it works very effectively.

Regarding the metrics and dashboards in JFrog Xray, the dashboard is fine, but it's about how you share that dashboard—you need extra permission. You can say each project can have its own dashboard and is responsible for the mistakes or the level of security they want, or you can have a person dedicated to security. At the moment, it's more a permission issue—how you set the permission properly, how do you give access to the dashboard or delegate. This needs improvement.

I have been working with JFrog Xray product for about three years.

We did experience crashes, downtimes, and performance issues with JFrog Xray. The support was great; we had to update a few components. Otherwise, it's really stable.

The support was great; we had to update a few components. Otherwise, it's really stable.

On a scale of 1 to 10, I would rate the technical support of JFrog Xray an eight because they are very knowledgeable.

Positive

I didn't evaluate any other options; I don't look at other competitors in the market exactly. Competitors include free tools, such as Trivy to scan Docker images or the common ones with npm to do your audit. JFrog Xray is a wrapper of those tools.

There were challenges when implementing JFrog Xray product because the rules are difficult to set. It took me more time than it should. The whole user experience thing is not very good.

I am utilizing the deep scanning capabilities in JFrog Xray product, and this feature is very handy because with other software, you don't know where the bad dependencies come from. JFrog Xray is accurate about this.

Given my experience with JFrog Xray, my advice to other organizations considering it for their environment is that they have to decide if they will go for that command-line tool. They really need to make a proof of concept for starting to work with it.

I rate JFrog Xray as a product a six out of ten.

Our primary use case for X-ray includes multiple activities such as security and vulnerability scanning. We already use Black Duck for these purposes, and we are evaluating how JFrog Xray can offer similar functionalities. Additionally, we're exploring its curation capabilities for machine language models in the financial industry.

Going with JFrog's suite of products helps us with tighter integration with Artifactory, potentially allowing us to phase out Black Duck. However, this is still premature, and we have a lot of exercises to conduct.

The most valuable features of JFrog Xray are its curation capabilities, its native integration with Artifactory, scanning for vulnerabilities, and license compliance features. Additionally, having JFrog's suite of products provides a tighter integration with Artifactory, which is very beneficial for us.

X-ray needs improvement in supporting more than one database, as it currently only supports PostgreSQL. More support during troubleshooting sessions would also be beneficial.

We started using X-ray a few months ago and are still in the evaluation phase.

The out-of-the-box PostgreSQL provided is not stable, which is why we are considering enterprise support.

X-ray is scalable, but limitations exist with PostgreSQL as it only supports certain artifacts.

When we need clarifications, we contact our account manager, and they arrange demos. Overall, I would rate the support a seven.

Neutral

We already have Black Duck for security and vulnerability scanning.

The initial setup was straightforward, however, there are dependencies on using only one specific database.

We started with four people and roles involved include a tech lead, project manager, deployer, analyst, and a tester.

There is potential for operational benefits, particularly the tighter integration with Artifactory and the possibility of phasing out Black Duck, but it is still under evaluation.

The basic scanning capabilities come with Artifactory, however, curation requires additional licenses. My senior management handles the cost aspects.

We are evaluating X-ray alongside Black Duck and have noted differences. Details of other solutions were not provided.

On a scale of one to ten, I would rate the overall solution as six or seven out of ten. It is too early for us to provide a definitive rating.

We use this solution to identify vulnerabilities in the dependency file. We have the Artifactory package which integrates with Xray-like plugins. We can automatically plug this tool into Xray to conduct vulnerability analysis.

If you are using an older version of the solution, there might be some vulnerabilities. JFrog Xray shows us a list of vulnerabilities that can impact our code. It will ask us to update to the latest version. Our team will review the information and validate it. Then, we will analyze the results and, if necessary, migrate to the latest version to remove those vulnerabilities.

We use a pipeline, specifically Jenkins for our Kubernetes development cycle, the JFrog Xray Accelerator plays a crucial role. In the pipeline, this Accelerator halts the code progression to production. Therefore, it prevents the code from advancing from the pre-production environment to the production environment in cases of critical issues. The system generates notifications for the development team, enabling them to decide internally, in consultation with the tech leads, whether to proceed to the next stage or halt the process.

JFrog Xray has many policies, settings, and rules embedded.

JFrog's Artifactory contains all the dependency files. For instance, if a team is developing an application using Java, they might require certain dependency files. They can obtain all the artifacts from JFrog's Artifactory without accessing the internet, which securely stores these files. The application can retrieve the necessary files from there. Xray is a tool designed to ensure that all artifacts within JFrog's Artifactory are clean. It scans for vulnerabilities and flags them. Based on predefined rules that could potentially harbor vulnerabilities, the Accelerator tool notifies the development team, enabling them to review and fix any issues in the library.

There is a tool called DefectDojo for reporting. Reporting is crucial, but it is lacking in the current tool. Every organization seeks specific data points rather than general information. Therefore, we require customized reports from the Xray tool.

I have been using JFrog Xray for six months.

The product is stable.

I rate the solution’s stability a ten out of ten.

The solution has deployed more than 20-30 products. These are small applications, around 200-300 applications might onboarded to the desktop pipeline.

There were no issues during setup. Vendors were waiting for licensing and to get the tool onboard. Our development team comprises of 15-20 people.

My role involves coordinating work and ensuring smooth progress, as well as conducting research and analysis. I don't focus on heavy coding instead, I primarily work on the data and database.

JFrog Xray has fixed a static issue where two versions were flagging major vulnerabilities. Additionally, it detects issues like file uploads, enabling the Accelerate tool to alert the development team promptly. They can then investigate CPE from the vulnerability system to understand the criticality, apply fixes, and implement necessary fixes. Xray is a valuable tool for capturing such issues efficiently, making it a handy tool for our development team.

When the development team reports to management, the tool assists in identifying and managing the flagged issues. Some can be marked as false positives, while others can be addressed promptly.

JFrog Xray is a useful tool. It helps us identify vulnerabilities in dependency libraries. I recommend others to give it a try and see how it can benefit them.

Overall, I rate the solution an eight out of ten.

We use JFrog Xray mostly for container scanning.

I like how JFrog Xray and Artifactory go well together. If you have everything in Artifactory, then the entire process of onboarding a project becomes very easy with JFrog Xray. You have to start the indexing, and you're good to go. People use a lot of Artifactory storage systems, but that's not really how it should be.

If multiple dependencies and vulnerabilities are found in a project, JFrog Xray is intelligent enough to tell you which vulnerability to target first. It helps you prioritize things for your project.

We could create any number of repositories, but we can create only thirty projects with JFrog Xray. If I want things to work, it has to be one project and multiple repositories that belong to different real projects. So I have a limitation of thirty projects, despite being a premium customer.

JFrog Xray does not have a dashboard. Although I am able to generate reports, there is no proper dashboard where I can see the total number of vulnerabilities, the total number of license issues, and how many vulnerabilities are fixed. Second, I found the shift left approach missing with JFrog Xray. JFrog Xray has integration with IDEs, but it does not tell you about the vulnerabilities until the artifact is created. However, Snyk could directly integrate with your repository and would not allow you to build unless you fix the problem.

I have been using JFrog Xray for four to five months.

I rate JFrog Xray an eight out of ten for stability.

I rate JFrog Xray an eight out of ten for scalability. We have plans to expand the number of users in our organization.

Currently, because we have not onboarded everybody, we have around 100 to 150 users using JFrog Xray in our organization. However, there will be more users once we onboard more projects.

JFrog Xray's technical support was always helpful.

Positive

Before JFrog Xray, we used the solution Snyk. JFrog Xray has better prioritization with respect to which vulnerability should be fixed first.

We switched to JFrog Xray because we already had JFrog Artifactory. JFrog Xray comes bundled along with the license we bought. We didn't want to have two tools that could do the same work.

The second reason was that we were indirectly paying extra for the tool Snyk, which was doing the same thing that JFrog Xray's capable of.

The third reason was that we needed to integrate Snyk with GitHub, GitLab, ACR, and GCR. However, with JFrog Xray, we have to integrate with Artifactory to standardize things much better by making people put all their artifacts into JFrog Artifactory.

Installing JFrog Xray is not a straightforward process. However, if you already have Artifactory in place, then it's simple.

Artifactory, which goes along with JFrog Xray, took almost a week to install, but JFrog Xray took two days to install. We need to maintain the OS and keep a check on the new versions released by JFrog Xray and Artifactory. One system administrator does the maintenance of JFrog Xray in our organization.

We are using the previous version of JFrog Xray.

We have recently moved to JFrog Xray and are onboarding all our projects into JFrog Xray. We are onboarding all our projects into Artifactory, and once everything is in Artifactory, we'll start the indexing. So we've already done the indexing for a few projects, which are being scanned. For others, we are still asking the different project people not to use ACR and GCR and move everything into Artifactory.

Overall, I rate JFrog Xray an eight out of ten.

We install Artifactory, and we run reports on a daily and monthly basis. JFrog Xray gives us the vulnerability report count in case of any issues with Artifactory. We introduced a new build saved into our pipeline that will try to scan an artifact before publishing it into Artifactory using JFrog Xray. In case of any vulnerabilities, the Python will be broken, and it will try to trigger another.

Previously, we used Checkmarx, but we didn't have a tool to scan artifacts before or after getting published in Artifactory. JFrog Xray fitted right into our pipeline for checking vulnerabilities and was the best solution we got on the market then.

JFrog Xray's reporting feature has a lot of options in it, including scanning. Long back, when we got a Java issue regarding remote code execution, I forgot the whole vulnerability issue. But these reports helped us to go through different dependencies. It can even go deep into the docker files and find out vulnerabilities. Other scanning tools won't go deep into this docker file or any other ZIP-related files and give us a complete account of vulnerabilities.

JFrog Xray's documentation and error logging could be improved.

JFrog Xray's technical support was really helpful, and they reached out to me quite fast.

Positive

We used to work with SonarQube and Checkmarx. We decided to use JFrog's new feature add-on rather than completely onboarding a new tool.

When we were trying to get it up and working initially, I found it a bit hard to go through JFrog Xray's documentation and get my error solved. I was facing some issues because we hadn't got a specific license for the tool, but I was able to access it. As a regular user, I regularly saw an error message saying that the license feature was unavailable for my subscription. After a couple of days, I realized I was missing a license. I had to go back to the JFrog Xray team, who provided me with the new license, and then I could complete the setup.

I was the only person involved with the deployment of JRog Xray.

JFrog Xray is easy to maintain, and two to three people worked on its maintenance. It is very easy to onboard JFrog Xray.

JFrog Xray has the extra stability to go deep into the artifact. It can go deep into the layers of a docker image or a JAR file. SonarQube and Checkmarx are used for different use cases, completely different from JFrog Xray.

Overall, I rate JFrog Xray an eight out of ten.

We are using JFrog Xray for identifying vulnerabilities.

JFrog Xray has helped us improve our architecture.

The most valuable feature of JFrog Xray is the display of the entire internal dependencies hierarchy.

The speed of JFrog Xray should improve. Other solutions have better performance.

JFrog Xray could improve by offering enhancements in the area of vulnerability management. It includes a more user-friendly interface that presents a detailed list of dependencies, including transitory dependencies. This empowers both developers and management to gain a deeper insight into the software's internal workings.

I have been using JFrog Xray for approximately three years.

JFrog Xray's stability is comparable with other solutions in the market, such as Nexus.

I rate the stability of JFrog Xray an eight out of ten.

We have approximately 900 people using this solution.

I rate the scalability of JFrog Xray a seven out of ten.

I have not used the support from the vendor.

I have used JFrog Xray and Nexus, and Nexus has better performance.

This is a good tool but there could be some improvements made. A newer version could be better.

I rate JFrog Xray a nine out of ten.

Our primary use case is for artifact storage, a repository, and image management. We also utilize JFROG X-ray for vulnerability scans.

I would say that this solution has helped our organization by allowing us to automate a lot of the processes.

The features I found most valuable are the watch policies and the ability to block vulnerabilities from getting into our environment.

I think that the user interface should be expanded to provide customers with a better dashboard for reviewing their feedback regarding their images and the vulnerabilities that are associated with the images. There should be a better user experience for customers. Also, site performance sometimes is really slow and this causes issues with automation.

I have been using this solution for a bit over one year.

I would rate the stability of this solution a seven, on a scale from one to 10, with one being the worst and 10 being the best.

I would say that automating the configuration when it comes to the watch policies or data itself is definitely scalable, but when it comes to performance, the solution is maybe not as scalable.

The initial setup process depends largely on the experience of the person doing the implementation. In our case, it was straightforward as the API docs are well outlined and they provide good documentation.

Regarding other people looking into this solution, I would definitely recommend this product. 

Overall, I would rate this solution an eight, on a scale from one to 10, with one being the worst and 10 being the best.

We primarily use the solution for vulnerability scanning. We're looking for vulnerabilities in open-source components. 

The quality of scanning has been good. Its reporting is good. 

It's very clear and understandable.

The solution is stable and reliable.

We find the product the be easy to set up.

It is scalable.

The pricing is reasonable. 

Since we have been using the solution via APIs, there are some limitations in the APIs. 

We've only used it for six months, so we need to explore it more before commenting on any missing features. 

I've been using the solution for six months. 

The solution is stable and reliable. I'd rate it nine out of ten. The performance is good. There are no bugs or glitches.

We have less than 100 users on the solution right now. They are IT specialists and developers. 

The scalability is good. I'd rate it eight out of ten. It's hard to estimate how much it can scale.

I have not used technical support. 

We started with Sonatype and have switched over to JFrog. We were already using another JFrog solution and decided to focus on product synergy.

The implementation is rather straightforward. I was not involved with the team directly. They deployed it themselves, and I didn't hear about any issues, and there were no deployment delays. 

The deployment itself took a couple of weeks. 

In terms of maintenance, one or two people maintain it. They do not maintain it full-time. They manage other tools as well. It's relatively minimal maintenance. 

Our own internal team handled the setup. We did not need the help of consultants or integrators. 

It's too early to estimate the ROI. 

I don't handle the licensing. I don't know the exact cost of the solution. The pricing is likely fair. I've looked at competitive products and recall Xray being among the lower in terms of cost. I'd rate the pricing five out of ten. 

I'm an end-user. 

We're likely using a version that is the latest or close to the latest. 

I'd recommend the solution to others. There haven't been any disappointments so far. 

I'd rate the solution eight out of ten. It's done what is expected so far. 

I'm using this solution for scanning artifacts related to the Jfrog Artifactory. I'm scanning them, checking licenses and things like that. I'm a DevOps engineer intern and we are customers of JFrog. 

I would say the reporting functionalities are pretty good as are the policy watches. I like them a lot.

I'd like to see deeper reporting, they're pretty basic and there are no categories for comparing things. I'd also like to see an improvement with the documentation, there's not much available on their website. 

I've been using this solution for a couple of months. 

This solution is stable.

The solution is scalable.

I wasn't involved in the setup but I heard from my team that they faced some issues although I don't know what they were. We had a great consultant working with us and they solved the problems.