JFrog Xray provides static application testing capabilities by scanning the application components for vulnerabilities against the VulnDB vulnerability database. Xray also provides security policy enforcement and capability to monitor for license compliance. Xray integrates with IDEs such as IntelliJ and allows developers to view security issues in the dev environment.
Summary Comparison
| Capability | GitLab | JFrog X-Ray |
|---|---|---|
| SAST | Yes | Yes |
| Dependency Scanning | Yes | Yes |
| Container Scanning | Yes | Yes |
| License Compliance | Yes | Yes |
| Auto Remediation | Yes | Yes |
| DAST | Yes | No |
| Secrets Detection | Yes | No |
| API Fuzzing | Yes | No |
| Coverage Fuzzing | Yes | No |
| IAST | No | No |
JFrog X-Ray Strengths
- Security scanning during development and after binaries are built.
- Ability to restrict downloads of artifacts deemed not in compliance with license or security policies.
JFrog X-Ray Gaps
- Dynamic Application Security Testing. Xray does not extend into the post deployment phase.
- Cannot detect secrets within code.
- Developers have to go back and forth from the IDE to Xray UI to manage security.
Similarities between JFrog X-Ray and GitLab
| Capability | Description |
|---|---|
| SAST | Xray provides SAST capabilities and integrates with other IDEs. It uses VulnDB for security vulnerability information |
| Container Scanning | Xray scans containers and binaries by unpacking the dependency information. |
| Policy Enforcement | Can define Security and License policies. Rules are added with defined criteria. When a condition is met it can trigger a webhook for response. X-Ray also has built in capability to prevent downloads that violate policies. |
| License Compliance | Licensing policies for software components. X-Ray will identify and trigger a notification/response. |