Data Sources
Data Sources in OpsMx Delivery Shield defines the entry points from which security scanning is initiated — the what and where of every scan. Whether your team is scanning source code in a Git repository, a container image in a registry, a pre-existing SBOM file, or a mobile application artifact in JFrog Artifactory, Data Sources provides a unified, on-demand interface to trigger security analysis across all asset types from a single platform.
Data Source Types
Delivery Shield supports four primary Data Source types for Ad Hoc scanning:
Source Scan
Git repositories and branches
Identify vulnerabilities and compliance risks in source code
Artifact Scan
Container images and registry artifacts
Validate security of deployable units before release
SBOM Scan
Uploaded SBOM files (CycloneDX)
Assess risk in third-party or pre-built software from its component inventory
Mobile Artifact Scan
APK files in JFrog Artifactory
Comprehensive malware detection, mobile security analysis, and SBOM generation for mobile applications
Source Scan
What It Is
Source Scan is an on-demand security scanning capability for source code repositories hosted on platforms including GitHub, GitLab, Bitbucket, and others. It runs a configurable set of security tools — including Semgrep, Opengrep, and SonarQube — against selected repositories and branches to identify vulnerabilities, code quality issues, and compliance risks.
During project setup, users can link their source control account, enabling the system to automatically execute all eligible scans on selected repositories and branches. Once completed, the system generates detailed reports highlighting vulnerabilities, security risks, and compliance insights — and raises alerts based on findings with an overall risk status per repository or branch.
Source Scan brings multiple security scanners together under one roof — so teams get a complete security picture of their code without configuring and running tools individually.
Why Source Scan Is Used in OpsMx
Modern development workflows involve multiple repositories and rapid code changes — making it difficult to consistently enforce security and compliance checks across every branch and every team. Source Scan addresses this by:
Providing a unified interface to run multiple security scanners in one place — no tool-hopping
Offering quick visibility into vulnerabilities and overall risk posture per repository and branch
Reducing manual effort required to configure and run individual scanning tools
Ensuring better governance and compliance across all repositories regardless of team ownership
Automatically re-scanning repositories when new commits are detected — keeping results always current
Enabling teams to proactively identify and remediate security issues before deployment
Supported Scanners
Semgrep
SAST
Code-level vulnerabilities, insecure patterns, security anti-patterns
Opengrep
SAST
Community-driven static analysis rules across multiple languages
SonarQube
SAST + Quality
Code quality issues, security hotspots, technical debt, compliance
How to Use — Source Scan
For Public Repositories: Users can directly initiate a scan without any integration. Provide the repository details and the system executes the scans immediately.
For Private Repositories: Users need to integrate their GitHub or Bitbucket account. Once connected, they can select repositories and branches and trigger scans.
Workflow:
Supported Platforms:
GitHub
✅ Direct scan
✅ Requires GitHub account integration
GitLab
✅ Direct scan
✅ Requires GitLab account integration
Bitbucket
✅ Direct scan
✅ Requires Bitbucket account integration
Azure Repos
✅ Direct scan
✅ Requires Azure DevOps integration
Other Git Hosts
✅ Via repository URL
✅ Via credential configuration
Source Scan Results
Once a scan completes, results are available in the Reports page and include:
Vulnerability findings categorized by severity — Critical, High, Medium, Low
Risk status — overall risk score per repository and branch
Compliance insights — policy violations and governance gaps
Alerts — raised automatically based on findings that breach defined thresholds
Downloadable reports — exportable for audit, compliance review, or stakeholder sharing
Artifact Scan
What It Is
Artifact Scan is an on-demand security scanning capability for container images and artifacts stored in registries and artifact management systems. Users configure or connect their artifact source during setup and initiate scans on selected artifacts as needed.
Once a scan completes, the system generates detailed reports highlighting vulnerabilities, security risks, and compliance insights. Alerts are raised based on findings, and an overall risk status is provided for each scanned artifact — giving teams a clear picture of whether an artifact is safe to deploy.
Artifacts are the deployable units of modern applications. Artifact Scan ensures every container image or package is validated for security before it is released or deployed to any environment.
Why Artifact Scan Is Used in OpsMx
Artifacts represent the final, deployable form of an application. A vulnerable dependency or misconfigured image layer that passes code review can still make it into a container image — and from there, directly into production. Artifact Scan closes this gap by:
Providing a simple, unified way to scan artifacts on demand
Offering clear visibility into vulnerabilities and risk posture of every deployable asset
Reducing manual effort in validating artifact security across environments
Supporting governance and compliance requirements for released artifacts
Enabling teams to identify and remediate security risks before artifacts reach staging or production
Supported Scanners & Registries
Trivy
Container images, file systems
OS packages, application dependencies, secrets, IaC misconfigurations
Grype
Container images, binaries
Vulnerabilities from NVD, GitHub Advisories, and OS-level security notices
Supported Registries:
Docker Hub
✅
✅
Amazon ECR
—
✅
Google Container Registry (GCR)
—
✅
Google Artifact Registry
—
✅
Azure Container Registry (ACR)
—
✅
JFrog Artifactory
—
✅
GitLab Container Registry
—
✅
Quay
✅
✅
How to Use — Artifact Scan
For Public Artifacts: Users can directly initiate a scan by providing the artifact reference — image name, tag, or package details — without requiring any registry integration.
For Private Artifacts: Users need to integrate their artifact repository or registry. Once connected, they can select and scan specific artifacts on demand.
Workflow:
Artifact Scan Results
Once a scan completes, results include:
CVE findings per image layer — with CVE ID, affected package, version, severity, and fix version
Risk status — overall security score per artifact
License information — open-source license compliance per dependency
SBOM output — generated automatically in CycloneDX or SPDX format
Alerts — raised automatically based on severity thresholds
Downloadable reports — exportable for audit, compliance, or deployment gate review
SBOM Scan
What It Is
Adhoc SBOM Scan allows users to upload a Software Bill of Materials (SBOM) file and scan it for known vulnerabilities and risks — without requiring access to source code or container images. The system analyzes the components listed in the SBOM and generates reports with identified vulnerabilities, alerts, and an overall risk status.
Why SBOM Scan Is Used in OpsMx
SBOMs provide a structured inventory of all components and dependencies in an application. Evaluating hundreds of components manually against vulnerability databases is time-consuming and error-prone. Adhoc SBOM Scan solves this by:
Quickly identifying vulnerabilities in all listed components — matched against NVD, OSV, and GitHub Advisory databases in real time
Providing immediate risk visibility without needing access to source code or running containers
Supporting security and compliance checks for third-party software — vendors, COTS applications, and open-source packages where only an SBOM is available
Enabling faster decision-making before deployment or procurement — assess a vendor's software risk from their SBOM alone
Supporting SEBI CSCRF, NIST 800-53, and other regulatory mandates requiring SBOM-based component risk assessment
How to Use — SBOM Scan
No integration or account linking required. SBOM Scan works with any valid CycloneDX SBOM file.
Workflow:
SBOM Scan Results
Once scanning completes, results include:
Component-level vulnerability findings — CVE ID, severity, affected component, version, and fix version
License risk — license type per component flagged against your organization's policy
Overall risk status — aggregate risk score for the entire SBOM
Alerts — raised for components with Critical or High severity CVEs
Downloadable report — full findings for compliance review or vendor risk assessment
Mobile Artifact Scan (JFrog Artifactory)
The JFrog Artifactory Mobile Artifact Scan enables comprehensive security scanning of mobile application artifacts — specifically APK files — stored in JFrog Artifactory repositories. It integrates multiple specialized scanning engines — VirusTotal, MobSF (Mobile Security Framework), and SBOM generation — to provide malware detection, deep mobile security analysis, and complete component inventory for every scanned mobile artifact.
Note: This feature currently supports APK files only.
Why Mobile Artifact Scan Is Used in OpsMx
Mobile applications carry unique security risks that standard container or source code scanners are not equipped to detect — embedded malware, insecure permissions, hardcoded secrets, insecure API endpoints, and third-party SDK vulnerabilities. Before a mobile artifact is distributed or deployed, it must be validated against these mobile-specific threats.
Mobile Artifact Scan addresses this by:
Providing malware detection powered by 70+ antivirus engines via VirusTotal — catching threats missed by any single scanner
Running comprehensive mobile security analysis via MobSF — covering code vulnerabilities, permission risks, API security, and compliance checks
Generating a complete SBOM for every APK — mapping all embedded libraries, dependencies, and their known CVEs
Enabling automated, event-driven scanning — every new APK deployment in Artifactory triggers a scan automatically
Supporting organization-wide mobile artifact governance — scanning across single repositories or multiple repository groups
Project Creation Levels
Mobile Artifact Scan supports two project scoping levels in JFrog Artifactory:
Repository Level
Scans mobile artifacts within a single JFrog Artifactory repository — provides complete visibility into all mobile application versions in that repository
Repository All Level
Scans across multiple repositories in a repository group — enables organization-wide mobile artifact analysis with aggregated security reporting
Artifact Selection Options
All Artifacts
Scans every mobile artifact version in the repository
Latest Only
Scans only the most recent version of each mobile artifact — optimized for active development workflows
Prerequisites & Integrator Setup
Before enabling Mobile Artifact Scan, the following integrations must be configured in Delivery Shield:
1
JFrog Artifactory Integrator
Repository connectivity and artifact retrieval — requires JFrog credentials
2
JFrog Xray Integrator
Deep artifact security scanning integrated with Artifactory
3
MobSF Integrator
Mobile security analysis — enable Static Analysis mode
4
VirusTotal Integrator
Malware detection — enable Malware Detection toggle
How Mobile Artifact Scan Works — Scan Orchestration
The scan follows a structured 7-stage pipeline from change detection to team notification:
Scanning Capabilities
VirusTotal Integration — Malware Detection
Multi-Engine Analysis
Submits APK files to VirusTotal for scanning across 70+ antivirus engines simultaneously
File Hash Reputation
Checks APK file hash against VirusTotal's global threat intelligence database
Behavioral Analysis
Analyzes mobile app behavior and flags suspicious activities
Reputation Scoring
Provides reputation scores based on community and global threat intelligence
Real-Time Updates
Leverages continuously updated malware detection signatures
MobSF Integration — Mobile Security Analysis
Static Analysis (SAST)
Comprehensive static analysis of APK files — code vulnerability detection, permission analysis, hardcoded secrets detection, insecure configuration identification
Dynamic Analysis
Optional runtime behavior analysis of the APK in a sandboxed environment
API Security Testing
Assessment of API endpoints exposed or consumed by the mobile application
Permission Analysis
Flags excessive, dangerous, or misused Android permissions
Hardcoded Secrets Detection
Identifies API keys, tokens, and passwords embedded in the APK code
Compliance Checking
Validates mobile app security standards and app store security requirements
Configuration Security
Detects insecure app configurations — debug mode enabled, backup allowed, exported components
SBOM Generation — Dependency & Component Inventory
Dependency Mapping
Creates a comprehensive SBOM for the APK — mapping all embedded libraries and third-party SDKs
Component Inventory
Identifies all embedded libraries, versions, and origins
Vulnerability Correlation
Maps every component to known CVEs from NVD and OSV databases
License Compliance
Tracks open-source licenses across all embedded dependencies and flags violations
Export Formats
Generates SBOM in SPDX, CycloneDX, and JSON formats
Dependency Tree
Visualizes nested dependency relationships within the APK
Scheduling & Scan Optimization
Scheduled Scans
Run at configurable intervals — minutes, hours, or days
Event-Based Triggers
Automatically triggered on new APK deployments to Artifactory
Manual On-Demand
Initiate scans at any time from the dashboard
Content Hash Skip
Skips unchanged artifacts using content hash comparison — no redundant scans
Differential Scanning
Scans only updated dependencies when a new version of a known APK is detected
Parallel Scanning
Scans multiple artifacts simultaneously for large repositories
Incremental Scanning
Supports partial updates for repositories with frequent minor changes
Role-Based Access Control (RBAC)
Mobile Artifact Scan respects JFrog Artifactory's existing permission model:
Read access to target repository
Required to execute scans
scan-viewer
Access to view scan reports and findings
scan-admin
Access to configure scan settings and manage scan schedules
Mobile Artifact Scan Results
Once scanning completes, a comprehensive report is generated and available in the Reports page, including:
Malware Detection Summary
VirusTotal results, engine-by-engine threat scores, and reputation assessment
Security Assessment
MobSF static and dynamic analysis findings — vulnerabilities, permissions, hardcoded secrets, API risks
SBOM Inventory
Complete component and dependency list with version, origin, and license per entry
Vulnerability Correlation
CVE findings mapped to specific SBOM components
Compliance Status
App store requirements and mobile security standards compliance check
Remediation Guidance
Mobile-specific, actionable security recommendations per finding
Key Components
Artifactory Adapter
Repository connectivity and APK artifact retrieval from JFrog Artifactory
VirusTotal Integrator
Malware scanning and threat intelligence via 70+ antivirus engines
MobSF Engine
Mobile-specific static and dynamic security analysis
SBOM Generator
Dependency mapping, component tracking, and CVE correlation
Report Generator
Consolidates all findings into a unified, downloadable report
Comparing All Data Source Types
What gets scanned
Git repo / branch
Container image
Uploaded SBOM file
APK in JFrog Artifactory
Source code required
✅
❌
❌
❌
Integration required
For private repos
For private registries
❌ Never
✅ JFrog + MobSF + VirusTotal
Malware detection
❌
❌
❌
✅ VirusTotal (70+ engines)
SAST scanning
✅ Semgrep, SonarQube
❌
❌
✅ MobSF
SCA scanning
✅
✅ Trivy, Grype
✅ CVE matching
✅ SBOM correlation
SBOM generated
✅
✅
Upload only
✅ SPDX / CycloneDX / JSON
License compliance
✅
✅
✅
✅
Auto re-scan on changes
✅ On new commits
✅ On new image tags
❌ Manual
✅ On new APK deployments
Downloadable reports
✅
✅
✅
✅
Alerts raised
✅
✅
✅
✅
Benefits for the User
1. Scan Any Asset — Immediately, Without Pipeline Changes
All four Data Source types support on-demand scanning with no webhook configuration, no pipeline modification, and no DevOps involvement — security and compliance teams can initiate scans independently at any time.
2. Mobile-Specific Security — Purpose-Built for APKs
Standard container and source scanners cannot detect mobile threats. Mobile Artifact Scan combines VirusTotal's 70+ engine malware detection with MobSF's deep static and dynamic analysis — providing security coverage purpose-built for the unique threat surface of mobile applications.
3. Third-Party & Vendor Risk Assessment — No Source Code Needed
SBOM Scan and Mobile Artifact Scan both enable security assessment of software teams did not build — vendor applications, COTS products, and third-party mobile SDKs — from component inventory alone.
4. Unified Reports Across All Asset Types
Whether scanning source code, a container image, an SBOM file, or a mobile APK, all results land in the same Reports page in Delivery Shield — with consistent severity categorization, alert management, and download options.
5. Always Current — Automated Re-scanning on Changes
Source Scan re-scans on new commits, Artifact Scan detects new image tags, and Mobile Artifact Scan triggers automatically on every new APK deployment — ensuring security findings are never stale as assets evolve.
6. Complete Mobile Application Lineage
Mobile Artifact Scan generates a full SBOM for every APK — mapping all embedded libraries, SDKs, and their known CVEs — giving mobile security teams the same component-level transparency that container scanning provides for cloud-native applications.
7. Compliance Evidence — On Demand
All scan results are downloadable in report format — ready for regulatory submission, internal audit review, or deployment gate documentation across all four data source types.
Last updated