JFrog Xray occupies a unique position in the SCA market. Instead of scanning source code repositories like most SCA tools, Xray scans the artifacts in your binary repository. If you are already using JFrog Artifactory (and a remarkable number of enterprises are), Xray adds security scanning with zero friction because it is analyzing the same artifacts Artifactory is already managing.
The Artifact-First Approach
Most SCA tools scan source code. They read your package manifests and lock files, resolve the dependency tree, and match against vulnerability databases. This works well, but it misses the gap between what your source code declares and what your binary actually contains.
Xray scans the actual binary artifacts stored in Artifactory. This means it catches vulnerabilities in:
- Compiled dependencies that differ from source declarations
- System libraries included in container images
- Vendored code that is not reflected in package manifests
- Build-time dependencies that affect the output artifact
The artifact-first approach also means Xray can scan things that source-code scanners cannot: pre-built Docker images, downloaded binaries, firmware packages, and proprietary libraries uploaded as generic artifacts.
Deep Integration with Artifactory
Xray's killer feature is its seamless Artifactory integration. If Artifactory is your organization's artifact repository (for Docker images, Maven artifacts, npm packages, PyPI packages, or any other package type), enabling Xray adds scanning without changing any developer workflows.
Artifacts are scanned automatically as they enter Artifactory. New vulnerabilities trigger rescans of existing artifacts. Policy violations can block artifact downloads, preventing vulnerable components from reaching production. This is security enforcement at the binary distribution layer, which is a natural chokepoint that catches issues regardless of which CI pipeline or build system produced the artifact.
The Artifactory integration also enables impact analysis. When a new vulnerability is published, Xray can tell you every artifact in your repository that is affected, and by extension, every build and deployment that consumed those artifacts. This is tremendously valuable during incident response.
Vulnerability Detection
Xray's vulnerability database combines data from JFrog's security research team, NVD, VulnDB, and other sources. The database is updated continuously, and new vulnerability data triggers automatic rescans of indexed artifacts.
Detection accuracy is competitive with leading SCA tools for the ecosystems Xray covers. Java (Maven, Gradle), JavaScript (npm), Python (pip, Conda), Go, Ruby, Docker, and Debian/RPM packages are well-supported. Less common ecosystems have thinner coverage.
Xray performs recursive scanning on container images, analyzing both OS-level packages and application-level dependencies within each image layer. The scanning depth is comparable to Trivy or Grype for container images, which is reasonable given that Xray is a broader platform rather than a dedicated container scanner.
Watches and Policies
Xray's policy system revolves around "watches" that define what to scan and "policies" that define what to do with findings. A watch targets specific repositories, builds, or release bundles. A policy defines rules (minimum severity, specific CVEs, license types) and actions (block download, fail build, create violation).
This model maps well to enterprise governance. You can create a watch on your production Docker registry with a policy that blocks any image with critical vulnerabilities. A separate watch on your development registry might only warn. Different teams can have different policies based on their risk profile.
The policy engine supports custom license rules, operational risk criteria (project age, maintenance activity), and security severity thresholds. For organizations with complex compliance requirements, the granularity is sufficient.
Build Integration
Beyond artifact scanning, Xray integrates with JFrog Pipelines and other CI/CD systems to scan builds. Build-level scanning provides the dependency graph for the entire build, including transitive dependencies that might not be obvious from the source code.
JFrog CLI commands in CI pipelines can publish build information to Xray, triggering a scan and receiving a pass/fail result. Build promotion through Artifactory staging repositories can be gated on Xray scan results, creating a security checkpoint in your release pipeline.
Limitations
Xray's value is tightly coupled to Artifactory. If you are not using Artifactory, the overhead of adopting both products just for vulnerability scanning is hard to justify when alternatives like Snyk or Grype are available.
The source-code scanning capabilities are limited compared to dedicated SCA tools. Xray's strength is binary analysis, not source analysis. For pre-commit or pull-request feedback, other tools provide a better developer experience.
Pricing follows JFrog's platform model. Xray is included with Artifactory Enterprise and above, but the overall JFrog Platform cost is significant. If you are only evaluating Xray for vulnerability scanning, the total cost of ownership is higher than standalone SCA tools.
The UI can be dense. Navigating watches, policies, violations, and components requires familiarity with Xray's data model. New users face a learning curve before they can effectively manage findings.
How Safeguard.sh Helps
Safeguard.sh provides supply chain security capabilities that extend beyond what artifact-level scanning can deliver. While Xray secures the binary distribution pipeline, Safeguard.sh tracks the broader software supply chain from development through deployment. For organizations using JFrog Xray, Safeguard.sh serves as the aggregation layer that combines Xray's artifact findings with data from source code scanners, container registries, and runtime environments, creating the cross-pipeline visibility that no single tool provides alone.