The jf audit command enables developers to perform on-demand security scans of their source code directly from their terminal, ensuring early detection of CVEs, licenses, operational risk, SAST, misconfigurations, and exposed secrets. By integrating seamlessly into the developer workflow, it helps catch security risks before code reaches production—reducing remediation costs and enhancing software integrity. The scan results are displayed in the terminal for immediate feedback and are also available in the JFrog Platform’s On-Demand Scans pane, providing centralized visibility.
{% hint style="info" %} For SCA, the command automatically detects the package manager used by your project and uses it to construct the dependency graph.
If the project hasn’t been installed yet, the system will execute an install command to generate the dependency tree for scanning.
On-demand scan results are retained for seven days before being automatically deleted. {% endhint %}
Command: jf audit (alias: jf aud)
| Option | Required | Default | Description |
|---|---|---|---|
--help |
No | — | Displays information about the jf audit command options. |
--server-id |
No | Default server | JFrog server ID configured via jf c add. |
--project |
No | — | JFrog project key to identify security violations. Incompatible with --repo-path and --watches. |
--repo-path |
No | — | Artifactory repository path for identifying violations. Incompatible with --project and --watches. |
--watches |
No | — | Comma-separated list of Xray watches to determine violations. Incompatible with --project and --repo-path. |
--licenses |
No | false |
Displays the list of licenses. |
--format |
No | table |
Defines the output format: table , json, simple-json, or sarif. The json format does not support the Advanced Security contextual analysis, Secrets, and misconfiguration scans. |
--extended-table |
No | false |
When set to true, result table includes extended fields such as CVSS and Xray Issue Id. Must be executed with --format table. |
--fail |
No | true |
Returns exit code 3 if a Fail Build rule is matched. Set to false to return exit code 0 with violations. |
--use-wrapper |
No | false (Gradle/Maven only) |
Use Gradle or Maven wrapper. |
--dep-type |
No | all (npm only) |
Defines npm dependency types: all, devOnly, prodOnly. |
--exclude-test-deps |
No | false (Gradle only) |
Excludes Gradle test dependencies from Xray scanning. |
--requirements-file |
No | — (Pip only) | Specifies the pip requirements file (e.g., requirements.txt). |
--working-dirs |
No | Root directory | Comma-separated list of directories to audit. Defaults to recursive scan from the project root. |
--exclusions |
No | .git;node_modules;target;venv;test |
Semicolon-separated list to exclude specific directories or files. Supports wildcards (*, ?). |
--fixable-only |
No | — | Displays only issues with available fixes. |
--min-severity |
No | — | Minimum severity of issues to display: Low, Medium, High, Critical. |
--threads |
No | 3 |
Number of parallel threads for scanning. |
--go |
No | false |
Audits a Go project. |
--gradle |
No | false |
Audits a Gradle project. |
--mvn |
No | false |
Audits a Maven project. |
--npm |
No | false |
Audits an npm project. |
--pnpm |
No | false |
Audits a pnpm project. |
--nuget |
No | false |
Audits a .NET project. |
--pip |
No | false |
Audits a Pip project. |
--pipenv |
No | false |
Audits a Pipenv project. |
--yarn |
No | false |
Audits a Yarn project. |
--sca |
No | false |
Selective scanners mode Runs the Software Composition Analysis (SCA) scan. Can be combined with |
--without-contextual-analysis |
No | false |
Selective scanners mode Disables Contextual Analysis when using |
--iac |
No | false |
Selective scanners mode Executes Infrastructure as Code (IaC) scans. Can be combined with |
--secrets |
No | false |
Selective scanners mode Executes Secrets Detection scans. Can be combined with |
--validate-secrets |
No | false |
Selective scanners mode Validates detected secrets. Only applicable when using |
--sast |
No | false |
Selective scanners mode Executes Static Application Security Testing (SAST) scans. Can be combined with |
--vuln |
No | — | Displays all vulnerabilities, regardless of Xray policies. |
Follow the Working in Air-Gapped Environments procedure.
The environment variable to set the source code scan is JFROG_CLI_RELEASES_REPO.
A basic audit that shows all vulnerabilities, regardless of the policies set in Xray:
jf auditAudit for Maven & npm projects that shows all vulnerabilities, regardless of the policies set in Xray:
jf audit --mvn --npmAudit using a defined Watch in Xray:
jf audit --watches "watch1"Audit using numerous defined Watches in Xray:
jf audit --watches "watch1,watch2"Audit using defined policies in a specific project:
jf audit --project "project-1"Audit using defined policies in a specific Artifactory path:
jf audit --repo-path "libs-local/release-artifacts/"Excluding from audit all files inside a directory (node_modules) and files with a specific suffix (to_exclude):
jf audit --exclusions "*node_modules*;*to_exclude"