Your artifact security findings now have a home in your vulnerability management program.
We're excited to announce the launch of the DefectDojo + JFrog Xray Connector, a new native integration that imports security findings from JFrog Xray directly into DefectDojo for centralized vulnerability management, deduplication, risk scoring, and remediation tracking.
If your organization uses JFrog Xray to scan artifacts, containers, and open-source dependencies for vulnerabilities and license compliance issues, those findings no longer need to live in a separate workflow. They now flow into the same platform where your SAST, DAST, infrastructure, and edge security results already live.
Software supply chain security has moved from a nice-to-have to a board-level concern. JFrog Xray is one of the most widely adopted tools for scanning binaries, container images, and open-source packages for known vulnerabilities and license risks. It's deeply embedded in CI/CD pipelines and artifact management workflows across thousands of organizations.
But the findings it produces often stay locked inside the JFrog platform. Security teams end up managing Xray results in one console, SAST findings in another, DAST results somewhere else, and infrastructure scans in yet another tool. The result is fragmented visibility, duplicated triage, and compliance reports that only tell part of the story.
The DefectDojo + JFrog Xray Connector fixes that.
Now, vulnerability and license compliance findings from JFrog Xray flow directly into DefectDojo. Once there, they're automatically deduplicated against your other scan results, risk-scored based on asset criticality, and queued for remediation alongside every other finding in your environment.
The new JFrog Xray Connector enables your team to:
Import findings automatically. Pull vulnerability detections and license compliance issues from JFrog Xray into DefectDojo. No manual exports. No juggling CSV files between platforms. Just structured data flowing into your existing workflow.
Deduplicate across your entire stack. If Xray flags a vulnerable dependency that your SCA scanner also caught, DefectDojo's deduplication engine correlates them into a single finding instead of creating duplicate tickets.
Apply unified risk scoring. DefectDojo calculates risk based on asset criticality, vulnerability severity, and environmental context. Your team gets one prioritized queue of what to fix first, whether the finding came from Xray, your SAST tool, or your container scanner.
Track remediation end-to-end. Assign findings to engineering teams, push tickets to Jira, GitHub, GitLab, or Azure DevOps, and track resolution from detection to closure across your entire security program.
Report with complete visibility. With JFrog Xray data now part of your DefectDojo instance, your executive dashboards and compliance reports reflect your full security posture, including software supply chain risk.
This connector is part of DefectDojo's goal to be the operating system that connects all of your security tools.
With 200+ native integrations and the Universal Parser for everything else, DefectDojo is built on a simple principle: your vulnerability management platform should work with your stack, not against it. You should be able to swap scanners, add new tools, and evolve your program without rebuilding your management layer from scratch.
Adding JFrog Xray to the connector ecosystem means that organizations relying on JFrog for artifact security now get the same centralized management experience that teams using Snyk, Checkmarx, Trivy, Qualys, Burp Suite, and hundreds of other tools already rely on.
Software supply chain security is too important to manage in isolation. Now you don't have to.
Setting up the DefectDojo + JFrog Xray Connector takes just minutes:
For detailed setup instructions, visit our documentation at docs.defectdojo.com.
If you're already a DefectDojo Pro customer, the JFrog Xray Connector is available now. If you're exploring DefectDojo for the first time, there's never been a better moment to see how centralized vulnerability management transforms the way your team operates.
Request a Demo Explore the Platform Read the Docs
DefectDojo is the leading open-source and enterprise vulnerability management platform, trusted by security teams worldwide to consolidate, deduplicate, and manage findings from 200+ security tools. Learn more at defectdojo.com.