JFrog

JFrog Xray REST API

API for vulnerability scanning, license compliance, and impact analysis. Provides Software Composition Analysis capabilities tightly integrated with Artifactory to ensure security and compliance governance.

GitHub OpenAPI

Documentation

📖
Documentation
https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API
📖
Authentication
https://jfrog.com/help/r/jfrog-platform-administration-documentation/access-tokens
📖
GettingStarted
https://jfrog.com/help/r/xray-rest-apis/introduction-to-the-xray-rest-apis

Specifications

OpenAPI
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/openapi/jfrog-xray-openapi.yml

Other Resources

🔗
Reference
https://jfrog.com/help/r/xray-rest-apis
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-components.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-ignore-rules.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-policies.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-reports.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-scanning.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-summary.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-system.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-violations.yaml
🔗
NaftikoCapability
https://raw.githubusercontent.com/api-evangelist/jfrog/refs/heads/main/capabilities/xray-watches.yaml

OpenAPI Specification

jfrog-xray-openapi.yml Raw ↑ 
openapi: 3.1.0
info:
  title: JFrog Xray REST API
  description: >-
    API for vulnerability scanning, license compliance, and impact analysis.
    JFrog Xray provides universal software composition analysis (SCA) that
    natively integrates with Artifactory to scan artifacts for known
    vulnerabilities, license compliance violations, and operational risks.
  version: 3.x
  contact:
    name: JFrog
    url: https://jfrog.com
  license:
    name: Proprietary
    url: https://jfrog.com/terms-of-service/
  termsOfService: https://jfrog.com/terms-of-service/
externalDocs:
  description: JFrog Xray REST API Documentation
  url: https://www.jfrog.com/confluence/display/JFROG/Xray+REST+API
servers:
  - url: https://{server}.jfrog.io/xray/api
    description: JFrog Cloud
    variables:
      server:
        default: myserver
        description: Your JFrog server name
  - url: https://{host}/xray/api
    description: Self-hosted JFrog instance
    variables:
      host:
        default: localhost:8082
        description: Your self-hosted JFrog server host
security:
  - bearerAuth: []
  - basicAuth: []
tags:
  - name: Components
    description: Component details and vulnerability information
  - name: Ignore Rules
    description: Rules for ignoring specific vulnerabilities
  - name: Policies
    description: Security and license compliance policies
  - name: Reports
    description: Vulnerability and compliance reports
  - name: Scanning
    description: On-demand scanning operations
  - name: Summary
    description: Artifact and build vulnerability summaries
  - name: System
    description: Xray system information and health
  - name: Violations
    description: Policy violations management
  - name: Watches
    description: Watch policies for monitoring artifacts
paths:
  /v1/system/ping:
    get:
      operationId: systemPing
      summary: JFrog System Ping
      description: Returns a simple ping response indicating Xray is accessible.
      tags:
        - System
      responses:
        '200':
          description: Xray is accessible
          content:
            application/json:
              schema:
                type: object
                properties:
                  status:
                    type: string
                    example: pong
  /v1/system/version:
    get:
      operationId: getSystemVersion
      summary: JFrog Get System Version
      description: Returns the Xray version and revision information.
      tags:
        - System
      responses:
        '200':
          description: Version info retrieved
          content:
            application/json:
              schema:
                type: object
                properties:
                  xray_version:
                    type: string
                  xray_revision:
                    type: string
  /v1/component:
    post:
      operationId: getComponentDetails
      summary: JFrog Get Component Details
      description: Returns vulnerability and license information for specified components.
      tags:
        - Components
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                component_details:
                  type: array
                  items:
                    type: object
                    properties:
                      component_id:
                        type: string
                        description: 'Component ID in format type://name:version'
                        example: 'npm://lodash:4.17.21'
              required:
                - component_details
      responses:
        '200':
          description: Component details retrieved
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/ComponentDetail'
  /v1/summary/artifact:
    post:
      operationId: getArtifactSummary
      summary: JFrog Get Artifact Summary
      description: Returns a summary of security issues and license information for specified artifacts.
      tags:
        - Summary
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                paths:
                  type: array
                  items:
                    type: string
                  description: List of artifact paths in Artifactory
              required:
                - paths
      responses:
        '200':
          description: Artifact summary retrieved
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ArtifactSummary'
  /v1/summary/build:
    post:
      operationId: getBuildSummary
      summary: JFrog Get Build Summary
      description: Returns a summary of security issues for specified build.
      tags:
        - Summary
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                build_name:
                  type: string
                build_number:
                  type: string
              required:
                - build_name
                - build_number
      responses:
        '200':
          description: Build summary retrieved
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/BuildSummary'
  /v2/ci/scan:
    post:
      operationId: scanBuild
      summary: JFrog Scan Build (v2)
      description: Triggers an on-demand scan for a build.
      tags:
        - Scanning
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                buildName:
                  type: string
                buildNumber:
                  type: string
                rescan:
                  type: boolean
                  default: false
              required:
                - buildName
                - buildNumber
      responses:
        '200':
          description: Scan initiated
          content:
            application/json:
              schema:
                type: object
                properties:
                  info:
                    type: string
  /v1/scanArtifact:
    post:
      operationId: scanArtifact
      summary: JFrog Scan Artifact
      description: Triggers a scan for a specific artifact by its component ID.
      tags:
        - Scanning
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                componentID:
                  type: string
                  description: 'Component identifier in package type format'
      responses:
        '200':
          description: Scan initiated
          content:
            application/json:
              schema:
                type: object
                properties:
                  info:
                    type: string
  /v2/watches:
    get:
      operationId: listWatches
      summary: JFrog List Watches
      description: Returns a list of all configured watches.
      tags:
        - Watches
      responses:
        '200':
          description: Watches list retrieved
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Watch'
    post:
      operationId: createWatch
      summary: JFrog Create Watch
      description: Creates a new watch for monitoring artifacts.
      tags:
        - Watches
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Watch'
      responses:
        '201':
          description: Watch created
        '400':
          description: Invalid watch configuration
  /v2/watches/{watchName}:
    get:
      operationId: getWatch
      summary: JFrog Get Watch
      description: Returns configuration for a specific watch.
      tags:
        - Watches
      parameters:
        - name: watchName
          in: path
          required: true
          schema:
            type: string
          description: Watch name
      responses:
        '200':
          description: Watch details retrieved
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Watch'
    put:
      operationId: updateWatch
      summary: JFrog Update Watch
      description: Updates an existing watch configuration.
      tags:
        - Watches
      parameters:
        - name: watchName
          in: path
          required: true
          schema:
            type: string
          description: Watch name
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Watch'
      responses:
        '200':
          description: Watch updated
    delete:
      operationId: deleteWatch
      summary: JFrog Delete Watch
      description: Removes a watch configuration.
      tags:
        - Watches
      parameters:
        - name: watchName
          in: path
          required: true
          schema:
            type: string
          description: Watch name
      responses:
        '200':
          description: Watch deleted
  /v2/policies:
    get:
      operationId: listPolicies
      summary: JFrog List Policies
      description: Returns a list of all security and license policies.
      tags:
        - Policies
      responses:
        '200':
          description: Policies list retrieved
          content:
            application/json:
              schema:
                type: array
                items:
                  $ref: '#/components/schemas/Policy'
    post:
      operationId: createPolicy
      summary: JFrog Create Policy
      description: Creates a new security or license compliance policy.
      tags:
        - Policies
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Policy'
      responses:
        '201':
          description: Policy created
        '400':
          description: Invalid policy configuration
  /v2/policies/{policyName}:
    get:
      operationId: getPolicy
      summary: JFrog Get Policy
      description: Returns details of a specific policy.
      tags:
        - Policies
      parameters:
        - name: policyName
          in: path
          required: true
          schema:
            type: string
          description: Policy name
      responses:
        '200':
          description: Policy details retrieved
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/Policy'
    put:
      operationId: updatePolicy
      summary: JFrog Update Policy
      description: Updates an existing policy.
      tags:
        - Policies
      parameters:
        - name: policyName
          in: path
          required: true
          schema:
            type: string
          description: Policy name
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/Policy'
      responses:
        '200':
          description: Policy updated
    delete:
      operationId: deletePolicy
      summary: JFrog Delete Policy
      description: Removes a policy.
      tags:
        - Policies
      parameters:
        - name: policyName
          in: path
          required: true
          schema:
            type: string
          description: Policy name
      responses:
        '200':
          description: Policy deleted
  /v1/violations:
    post:
      operationId: getViolations
      summary: JFrog Get Violations
      description: Returns violations based on specified filters.
      tags:
        - Violations
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                filters:
                  type: object
                  properties:
                    type:
                      type: string
                      enum: [security, license, operational_risk]
                    watch_name:
                      type: string
                    min_severity:
                      type: string
                      enum: [Low, Medium, High, Critical]
                    created_from:
                      type: string
                      format: date-time
                pagination:
                  type: object
                  properties:
                    order_by:
                      type: string
                    limit:
                      type: integer
                    offset:
                      type: integer
      responses:
        '200':
          description: Violations retrieved
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/ViolationsResponse'
  /v1/report/vulnerabilities:
    post:
      operationId: generateVulnerabilityReport
      summary: JFrog Generate Vulnerability Report
      description: Generates a vulnerability report for specified scope.
      tags:
        - Reports
      requestBody:
        required: true
        content:
          application/json:
            schema:
              type: object
              properties:
                name:
                  type: string
                resources:
                  type: object
                  properties:
                    repositories:
                      type: array
                      items:
                        type: object
                        properties:
                          name:
                            type: string
                filters:
                  type: object
                  properties:
                    severity:
                      type: array
                      items:
                        type: string
                    has_remediation:
                      type: boolean
              required:
                - name
                - resources
      responses:
        '200':
          description: Report generation started
          content:
            application/json:
              schema:
                type: object
                properties:
                  report_id:
                    type: integer
                  status:
                    type: string
  /v1/report/{reportId}:
    get:
      operationId: getReportStatus
      summary: JFrog Get Report Status
      description: Returns the status and details of a report.
      tags:
        - Reports
      parameters:
        - name: reportId
          in: path
          required: true
          schema:
            type: integer
          description: Report ID
      responses:
        '200':
          description: Report status retrieved
          content:
            application/json:
              schema:
                type: object
                properties:
                  id:
                    type: integer
                  name:
                    type: string
                  status:
                    type: string
                    enum: [pending, running, completed, failed]
    delete:
      operationId: deleteReport
      summary: JFrog Delete Report
      description: Deletes a generated report.
      tags:
        - Reports
      parameters:
        - name: reportId
          in: path
          required: true
          schema:
            type: integer
          description: Report ID
      responses:
        '200':
          description: Report deleted
  /v1/ignore_rules:
    get:
      operationId: listIgnoreRules
      summary: JFrog List Ignore Rules
      description: Returns all ignore rules configured in Xray.
      tags:
        - Ignore Rules
      responses:
        '200':
          description: Ignore rules retrieved
          content:
            application/json:
              schema:
                type: object
                properties:
                  data:
                    type: array
                    items:
                      $ref: '#/components/schemas/IgnoreRule'
    post:
      operationId: createIgnoreRule
      summary: JFrog Create Ignore Rule
      description: Creates a new ignore rule for a specific vulnerability or license.
      tags:
        - Ignore Rules
      requestBody:
        required: true
        content:
          application/json:
            schema:
              $ref: '#/components/schemas/IgnoreRule'
      responses:
        '201':
          description: Ignore rule created
          content:
            application/json:
              schema:
                type: object
                properties:
                  id:
                    type: string
  /v1/ignore_rules/{ruleId}:
    get:
      operationId: getIgnoreRule
      summary: JFrog Get Ignore Rule
      description: Returns a specific ignore rule.
      tags:
        - Ignore Rules
      parameters:
        - name: ruleId
          in: path
          required: true
          schema:
            type: string
          description: Ignore rule ID
      responses:
        '200':
          description: Ignore rule retrieved
          content:
            application/json:
              schema:
                $ref: '#/components/schemas/IgnoreRule'
    delete:
      operationId: deleteIgnoreRule
      summary: JFrog Delete Ignore Rule
      description: Deletes an ignore rule.
      tags:
        - Ignore Rules
      parameters:
        - name: ruleId
          in: path
          required: true
          schema:
            type: string
          description: Ignore rule ID
      responses:
        '200':
          description: Ignore rule deleted
components:
  securitySchemes:
    bearerAuth:
      type: http
      scheme: bearer
      description: Access token authentication
    basicAuth:
      type: http
      scheme: basic
      description: Basic username/password authentication
  schemas:
    ComponentDetail:
      type: object
      properties:
        component_id:
          type: string
        component_name:
          type: string
        package_type:
          type: string
        version:
          type: string
        licenses:
          type: array
          items:
            type: object
            properties:
              name:
                type: string
              full_name:
                type: string
              more_info_url:
                type: array
                items:
                  type: string
                  format: uri
        vulnerabilities:
          type: array
          items:
            $ref: '#/components/schemas/Vulnerability'
    Vulnerability:
      type: object
      properties:
        cve:
          type: string
        severity:
          type: string
          enum: [Low, Medium, High, Critical]
        cvss_v2_score:
          type: string
        cvss_v3_score:
          type: string
        summary:
          type: string
        description:
          type: string
        fixed_versions:
          type: array
          items:
            type: string
        references:
          type: array
          items:
            type: string
            format: uri
        published:
          type: string
          format: date-time
    ArtifactSummary:
      type: object
      properties:
        artifacts:
          type: array
          items:
            type: object
            properties:
              general:
                type: object
                properties:
                  name:
                    type: string
                  path:
                    type: string
                  sha256:
                    type: string
                  component_id:
                    type: string
              issues:
                type: array
                items:
                  $ref: '#/components/schemas/Issue'
              licenses:
                type: array
                items:
                  type: object
                  properties:
                    name:
                      type: string
                    full_name:
                      type: string
                    components:
                      type: array
                      items:
                        type: string
    BuildSummary:
      type: object
      properties:
        build:
          type: object
          properties:
            build_name:
              type: string
            build_number:
              type: string
        issues:
          type: array
          items:
            $ref: '#/components/schemas/Issue'
    Issue:
      type: object
      properties:
        issue_id:
          type: string
        severity:
          type: string
          enum: [Low, Medium, High, Critical]
        summary:
          type: string
        description:
          type: string
        issue_type:
          type: string
        provider:
          type: string
        cves:
          type: array
          items:
            type: object
            properties:
              cve:
                type: string
              cvss_v2_score:
                type: string
              cvss_v3_score:
                type: string
        created:
          type: string
          format: date-time
        impacted_artifacts:
          type: array
          items:
            type: object
            properties:
              name:
                type: string
              display_name:
                type: string
              path:
                type: string
              sha256:
                type: string
    Watch:
      type: object
      properties:
        general_data:
          type: object
          properties:
            name:
              type: string
            description:
              type: string
            active:
              type: boolean
        project_resources:
          type: object
          properties:
            resources:
              type: array
              items:
                type: object
                properties:
                  type:
                    type: string
                    enum: [repository, build, all-repos, all-builds]
                  name:
                    type: string
                  bin_mgr_id:
                    type: string
                  filters:
                    type: array
                    items:
                      type: object
                      properties:
                        type:
                          type: string
                          enum: [regex, package-type, path-regex, mime-type]
                        value:
                          type: string
        assigned_policies:
          type: array
          items:
            type: object
            properties:
              name:
                type: string
              type:
                type: string
                enum: [security, license, operational_risk]
      required:
        - general_data
        - project_resources
        - assigned_policies
    Policy:
      type: object
      properties:
        name:
          type: string
        description:
          type: string
        type:
          type: string
          enum: [security, license, operational_risk]
        rules:
          type: array
          items:
            type: object
            properties:
              name:
                type: string
              priority:
                type: integer
              criteria:
                type: object
                properties:
                  min_severity:
                    type: string
                    enum: [Low, Medium, High, Critical]
                  cvss_range:
                    type: object
                    properties:
                      from:
                        type: number
                      to:
                        type: number
                  allow_unknown:
                    type: boolean
                  banned_licenses:
                    type: array
                    items:
                      type: string
                  allowed_licenses:
                    type: array
                    items:
                      type: string
              actions:
                type: object
                properties:
                  webhooks:
                    type: array
                    items:
                      type: string
                  mails:
                    type: array
                    items:
                      type: string
                  block_download:
                    type: object
                    properties:
                      unscanned:
                        type: boolean
                      active:
                        type: boolean
                  block_release_bundle_distribution:
                    type: boolean
                  fail_build:
                    type: boolean
                  notify_deployer:
                    type: boolean
                  notify_watch_recipients:
                    type: boolean
                  create_ticket_enabled:
                    type: boolean
      required:
        - name
        - type
        - rules
    ViolationsResponse:
      type: object
      properties:
        total_violations:
          type: integer
        violations:
          type: array
          items:
            type: object
            properties:
              violation_type:
                type: string
              severity:
                type: string
              watch_name:
                type: string
              description:
                type: string
              matched_policies:
                type: array
                items:
                  type: object
                  properties:
                    policy:
                      type: string
                    rule:
                      type: string
              created:
                type: string
                format: date-time
              impacted_artifacts:
                type: array
                items:
                  type: object
                  properties:
                    name:
                      type: string
                    display_name:
                      type: string
                    path:
                      type: string
    IgnoreRule:
      type: object
      properties:
        id:
          type: string
        notes:
          type: string
        expiration_date:
          type: string
          format: date-time
        vulnerabilities:
          type: array
          items:
            type: object
            properties:
              cve:
                type: string
        cves:
          type: array
          items:
            type: object
            properties:
              cve:
                type: string
        licenses:
          type: array
          items:
            type: string
        watches:
          type: array
          items:
            type: string
        policies:
          type: array
          items:
            type: string
        component:
          type: object
          properties:
            name:
              type: string
            version:
              type: string
        artifact:
          type: object
          properties:
            name:
              type: string
            version:
              type: string
            path:
              type: string