Using Repository Scans without GitHub Advanced Security

[imranzunzani]

If GitHub Advanced Security is not enabled, is there a way to use the Repository Scans without that? Eg. printing the results in the Actions' output instead. Are there options/parameters for other mechanisms for outputting the results?

[asafcjfrog]

Hi Imranzunzani,
Yes, we are introducing a new UI that will show the results of the Repository Scans.
Can you kindly contact your JFrog representative and ask them about the XSC?
We will be happy to schedule a call with you and demo it.

[imranzunzani]

Hi @asafcjfrog ,
We have been waiting for its release already. It was demoed to us in October. But my question here is about the results showing up in GitHub without GitHub Advanced Security enabled.

[eranturgeman]

Hello @imranzunzani
Frogbot can present its results in the PR you scan (scan-pr) or to open a new PR with the scan results + fix suggestion (scan-repository)
The scan Frogbot performs are not related to Github directory and are not dependent on it, so yes- Frogbot is able to present the results.
Would you care to tell me what is not working as you expect? (screen pictures would be helpful as well)

[asafcjfrog]

@imranzunzani please contact your JFrog representative to schedule a call and I'll be happy to assist

[imranzunzani]

Hi @eranturgeman ,
My question is about the repository scan, not the PR scan. Without the GHAS API enabled, the repo scan completes with the following logged, and no mention of found violations anywhere:

/opt/hostedtoolcache/frogbot/[RELEASE]/x64/frogbot scan-repository
  08:19:48 [Info] Frogbot version: 2.19.9
  08:19:49 [Info] Running Frogbot "scan-repository" command
  08:19:51 [Info] Preforming 1 SCA scans:
  [
    {
      "Technology": "maven",
      "WorkingDirectory": "/tmp/jfrog.cli.temp.-[17](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:18)08503590-428075562",
      "Descriptors": [
        "/tmp/jfrog.cli.temp.-1708503590-428075562/pom.xml"
      ]
    }
  ]
  08:[19](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:20):51 [Info] Running SCA scan for maven vulnerable dependencies in /tmp/jfrog.cli.temp.-1708503590-428075562 directory...
  08:19:51 [Info] Calculating Maven dependencies...
  08:19:59 [Info] Scanning 68 maven dependencies...
  08:[20](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:21):01 [Info] Waiting for scan to complete on JFrog Xray...
  08:20:[24](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:25) [Info] Xray scan completed
  08:20:24 [Warn] upload code scanning for main branch failed with: POST https://api.github.com/repos/*org*/jfrog-workflow-test/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
  08:20:[34](https://github.com/*org*/jfrog-workflow-test/actions/runs/7985979040/job/21805460716#step:2:35) [Info] Created Pull Request updating dependency 'org.springframework.boot:spring-boot-starter-web' to version '2.6.6'
  08:20:36 [Info] Frogbot "scan-repository" command finished successfully

The fix suggestions don't cover all vulnerabilities and license violations.

[brianmaresca]

i have the same exact question.

  13:33:19 [Warn] upload code scanning for develop branch failed with: POST https://api.github.com/repos/*org*/*repo*/code-scanning/sarifs: 403 Advanced Security must be enabled for this repository to use code scanning. []
  13:33:19 [Info] Didn't find vulnerable dependencies with existing fix versions for *repo*
  13:33:19 [Info] Frogbot "scan-repository" command finished successfully

[eranturgeman]

Hello @imranzunzani and @brianmaresca
Here is a solution and answer for all of your questions (hopefully):
The default for Frogbot is to send the scan results to GitHub Advanced Security. We cannot disable that currently.
You are correct that you cannot see the full scan results in the PRs Frogbot opens since we don't want to expose some security issues out to the public (in case of public repos) that can be exploited by a potential attacker. For the same reason we don't want to print the results to the CI logs, so no security issue that can be exploited will be exposed.
As for a different solution - we introduced a while ago our new Xsc service that is now deployed in most or our regions.
This service (accessible through the platform) presents ALL the scan results from every scan you initiated as long as you are connected to come Jfrog Platform. There you can view all the results in a secured way.
You can access it in the platform under Xray -> Scans List
Hope it cleared everything out. If so I'd appreciate your comment so I know everything is good, if not- please comment and I'll clear whatever needed

[brianmaresca]

i don't see anything in the scans list in my jfrog console.

also, it would be great if there was an option to enable logging the full scan results. i would think adding that would be simple.

[eranturgeman]

@brianmaresca
Currently we don't approve to log the full scans results for security reasons.
As for the Scans list - please contact your Jfrog representative to resolve this issue and verify the existence of Xsc service in your region. I think it can be resolved the quickest this way :)