Get a Demo
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Overview

The Hopper integration with JFrog Artifactory provides security and compliance visibility into the open-source components stored in your binary repositories. Hopper scans packages and container images in Artifactory to detect known vulnerabilities (CVEs), license violations, and generate SBOMs—helping you govern your software supply chain with clarity.

This integration focuses on artifact-level visibility and optionally correlates findings with your source code for higher-precision vulnerability reachability analysis. Hopper supports both JFrog Cloud and self-hosted Artifactory instances, without requiring build pipeline instrumentation.

Capabilities

  • Scans OSS packages and images stored in Artifactory, including Maven, npm, PyPI, Go, NuGet, Docker, and more.
  • Identifies known vulnerabilities in artifacts using industry databases (e.g. NVD, GitHub Advisories).
  • Highlights license compliance issues based on organizational policy 
  • Generates SBOMs in SPDX and CycloneDX formats for all scanned artifacts.
  • Enables artifact-level risk monitoring without requiring CI/CD integration or pipeline changes.

Requirements

  • JFrog Artifactory (cloud or self-hosted)
  • A Hopper account
  • JFrog user with:
    • read access to relevant repositories
    • (Optional) access to build info metadata for enhanced context
  • Artifactory REST API enabled

Setup Instructions

  1. Log in to the Hopper platform.
  2. Navigate to Integrations > JFrog Artifactory.
  3. Enter your Artifactory base URL (e.g., https://yourcompany.jfrog.io/artifactory).
  4. Enter your artifactory’s user name and password
  5. Hopper will begin analyzing repositories and surface results in the dashboard.

Permissions

Hopper requires read-only access to the following:

  • Artifact files (e.g., .jar, .tgz, .whl, .tar, .json, etc.)
  • (Optional) Build metadata (build-info JSON, environment details)

The integration does not:

  • Modify artifacts or repository configuration
  • Require deploy, admin, or write permissions
    Access your CI/CD pipelines

Security and Data Handling

  • Hopper connects over HTTPS using API tokens or access credentials.
  • Artifacts are scanned in-memory; Hopper does not store or export binaries.
  • Metadata and vulnerability results are retained securely within the Hopper platform.

Output

Once integrated, Hopper will generate:

  • Vulnerability Reports: Lists of known CVEs per artifact, version, and dependency path.
  • License Compliance Alerts: License types flagged against configured policies.
  • SBOMs: Exportable in SPDX or CycloneDX formats per repository or artifact.

ON THIS PAGE

Heading 2
Heading 3
Heading 4
Heading 5
Heading 6