JFrog Xray (Container Security)
by JFrog Ltd.
JFrog Xray is a container security and software composition analysis tool deeply integrated with JFrog Artifactory delivering continuous container image vulnerability scanning, license compliance, and malware detection directly in the artifact repository, making it the best container security tool for organizations that use JFrog as their binary management platform and need security built into the artifact lifecycle.
Starting Price
JFrog Pro from ~$250/month; Enterprise+ on quote at jfrog.com; Pro X (Xray) from $750/month
G2
Gartner
Capterra
Ratings & Reviews
Key Features
- Container Image Vulnerability Scanning Deep Recursive Dependency Analysis
- Artifactory Integration Scan & Block Vulnerable Images at Repository Level
- License Compliance Open Source License Audit for Container Images
- Malware Detection Container Image Malware Scanning
- SBOM Generation CycloneDX & SPDX for Container Images
- Policy Enforcement Block Non-Compliant Container Promotion
- JFrog Advanced Security Secret Detection
- SAST
- Contextual Analysis
- CVE Contextual Analysis Is the Vulnerable Function Actually Called?
- Kubernetes KSPM JFrog Catalog for K8s Security Posture
- Container Registry JFrog Artifactory Universal Registry
- CI/CD Integration Jenkins
- GitHub
- GitLab
- Azure Pipelines
- Watch & Alert Real-Time New CVE Alerts for Existing Images
- Impact Graph Visualize Dependency Vulnerability Propagation
- Compliance Reporting PCI
- HIPAA
- SOC 2 Container Evidence
Pros & Cons
Pros
- +Best container security for JFrog Artifactory users Xray natively scans container images at the repository layer before promotion
- +CVE Contextual Analysis determines if vulnerable function is actually called reduces false positives by 70%+
- +Impact Graph visualizes how a CVE propagates through all dependent container images
- +Watch & Alert notifies when new CVEs are published for already-stored images
- +Deep recursive dependency scanning catches transitive vulnerabilities other scanners miss
- +FedRAMP authorized
- +On-premise deployment for air-gapped artifact repositories
Cons
- −Best value for existing JFrog Artifactory customers less competitive as standalone scanner
- −Less runtime container protection vs. Aqua Security and Sysdig
- −No Kubernetes KSPM depth comparable to dedicated KSPM tools
- −UI less intuitive for non-JFrog users
- −Premium pricing for full Advanced Security features
Best For
Organizations using JFrog Artifactory as their binary repository who want container security built directly into their artifact management workflow scanning images at the repository layer, blocking vulnerable promotions, and getting CVE contextual analysis that only surfaces vulnerabilities with real exploitability.
Target Audience
Enterprise, Mid-Market, Technology Companies, DevOps Teams using JFrog Artifactory
Key Integrations
Competitor Tools
Pricing
Model
Annual subscription per binary/scan volume; JFrog Platform tiers (Pro, Enterprise+) on quote
Starting At
JFrog Pro from ~$250/month; Enterprise+ on quote at jfrog.com; Pro X (Xray) from $750/month
Free Trial
Yes 14-day free trial at jfrog.com; free community edition availableCompany Info
Founded
2008
Headquarters
Sunnyvale, CA, USA
Employees
1,500+
Company Size
Mid-Market & Enterprise (500 to 500,000+ developers and container images)
Funding
Public (NASDAQ: FROG) Market Cap ~$3B (January 2026)
Certifications
Awards & Recognition
Gartner Magic Quadrant Challenger Software Composition Analysis 2025 | G2 Leader Container Security 2026 | FedRAMP PMO Authorized | SC Awards Best DevSecOps Tool 2025
Data sourced from G2, Gartner & Capterra · Verified by Firmographic