Using Frogbot to scan this repository

[eyalbe4]

Dear maintainers of the repository,

My name is Eyal and my team at JFrog is maintaining Frogbot, JFrog VS Code Extension and few more open source projects used by our community. We're using this great library in the JFrog VS Code Extension and wanted to thank you for creating this library.

We wanted to ask you whether you'd like us to install Frogbot on this repository for you. We can set it up to scan pull requests for security vulnerabilities and/or scan the entire repository periodically. The service is completely free of charge and we'll be helping and guiding you through the setup. We'll also be supporting you in case you'll need any future assistance.

Please let me know if you're interested. We can also continue communicating about this offline.

Thanks,
Eyal

[ST-DDT]

@eyalbe4 Thanks for reaching out to us.

I have a few questions related to your tool.

Frogbot is a Git bot that scans your pull requests and repositories for security vulnerabilities

What does that include? From the example below it looks like only a dependency CVE scan.

I also had a look at your website and found:

JFrog Advanced Security provides software composition analysis powered by JFrog Xray, container contextual analysis, IaC security, secrets detection, and detection of OSS library and services misconfiguration or misuse.

But couldn't find any examples for those. Does it only point to a specific line of code or does it suggest a solution/point to extended docs/best practice guides?
Could you please recommend me a video showing how it feels to use the scanner
(beyond identifying a CVE library and creating an update PR)?

@ fakerjs devs: You might want to have a look directly at: https://jfrog.com/xray/ -> See how JFROG Xray AND ADVANCED SECURITY compares

[eyalbe4]

@ST-DDT,
Happy to answer your questions.

Frogbot creates a deep recursive graph of the scanned project's dependencies. It then scans the entire list of dependencies with JFrog Xray for CVEs. The scan can be performed on newly opened pull requests before they are merged and/or the entire repository, following new commits.
Advanced Security which includes container contextual analysis, IaC security, secrets detection aren't yet incorporated into Frogbot. This is still work in progress. I'll make sure to let you know once this functionality becomes available.

Let me know if you have follow-up questions.

[ST-DDT]

Thanks for your quick response answering my questions.

For now, renovate keeps our dependencies up to date in this and other repositories in the community and we are happy with its current functionalities.

We will reevaluate this when more features become available.

Thanks again for time and have a nice weekend.

[eyalbe4]

Sure @ST-DDT 👍

[ST-DDT]

@eyalbe4 The VS Code extension description seems to be partially broken:

https://marketplace.visualstudio.com/items?itemName=JFrog.jfrog-vscode-extension#severity-icons

[eyalbe4]

Thanks for letting me know @ST-DDT. We'll fix this.