Most security teams think running a scanner means they're protected. It doesn't. Scanning finds vulnerabilities after packages have already arrived — it doesn't block risky dependencies at the door, tell you whether a vulnerable code path is actually reachable, or alert you when a CVE disclosed yesterday is running in production right now.

This track builds the full security stack: block threats before they enter, prioritize what actually matters, and maintain visibility from code to runtime. Work through the sections in order, or jump to the one that matches your most urgent gap.

Xray Foundation

Start here. If Xray is running but no policies are enforced, you're collecting vulnerability data with nothing acting on it. This section takes you from a bare Xray setup to a fully enforced pipeline: indexing configured, policies defined, watches attached, and developers who understand what they're looking at. Recommended for: All roles new to JFrog Xray.

Getting Started with Xray Security

A policy without a watch does nothing — silently. A watch on the wrong repo leaves gaps. A fail-build gate with no grace period breaks every build on day one. This path closes those gaps in the right order, so your security posture is real — not just configured.

Software Supply Chain Security: Xray Policies, Integrations, and SBOMs (JFTC 507)

Designed for DevSecOps and Security Champions, this course automates compliance using JFrog Xray. You will create policies, generate SBOMs, integrate scanning, and use dedicated resources and toold to develop a comprehensive execution plan.

Xray Quiz

Test your knowledge of JFrog Xray concepts, policies, and scanning behavior. Take this after completing the Xray Foundation courses to confirm you're ready to move on.

Xray Technical Deep Dive

Equip yourself with the skills to leverage Xray effectively in your software development lifecycle.

JFrog Curation

Xray scans what's already in your repositories. Curation decides what's allowed to arrive in the first place. Every time a developer runs npm install or pip install, packages enter your environment unchecked — Xray catches the problem after the fact. This section moves that enforcement to the perimeter, before the package ever touches your SDLC. Note: Complete Xray Section before starting here.

Getting started with JFrog Curation

Learn how to set up and roll out the JFrog Curation service in your platform to boost adoption and maximize efficiency.

Administering JFrog Curation

Take your Curation service to the next levels of scale, adoption and efficiency.

JFrog Curation for Developers

This course we will introduce JFrog Curation and its value to the software developer, learn how to seamlessly integrate it into our development workflow and boosting productivity with quick resolutions to security vulnerabilities

Software Supply Chain Security: Curation, Policies, and Catalog Management (JFTC 506)

Designed for DevSecOps and Security Champions, this course uses JFrog Curation to block malicious packages at the source. You will configure risk policies, manage waivers, and leverage dedicated resources and tools to develop a comprehensive execution plan.

JFrog Advanced Security

If your team is chasing every Xray finding, most of that effort is wasted. The CVE is real. The severity score is real. But the code path that triggers it may never execute in your application — and while developers remediate those false priorities, the vulnerabilities that actually matter stay open. This section reduces the noise: contextual analysis, secrets detection, SAST, and IaC scanning — so your team acts on signal, not volume. Note: Complete Xray Sections before starting here.

JFrog Advanced Security

Learn to use JFrog Advanced Security to achieve comprehensive vulnerability and compliance control across your entire software supply chain. This path covers key capabilities like contextual analysis, secret detection, and SAST, empowering security managers and DevSecOps engineers to mitigate risks

JFrog Advanced Security: Contextual Analysis, Secrets Detection, and Remediation (JFTC 508)

Designed for DevSecOps and Security Professionals, this intermediate course uses JFrog Advanced Security to eliminate alert fatigue. You will use Contextual Analysis to filter irrelevant risks, deploy scanners for secrets and IaC misconfigurations, and use dedicated resources and tools to build a comprehensive execution plan.

Security Execution Toolkit

Complete the labs, enable your developers, and leverage our high-level execution plans for every security product.

The JFrog Accelerator: Hands-On JFrog Security Lab Subscription

Unlock your team's JFrog security expertise with a continuous stream of practical hands-on labs.

JFrog Security for Developers

Empower your coding with JFrog security tools. This path teaches you to secure code instantly using the IDE Plugin and JFrog CLI. Master Frogbot for Git, learn SAST analysis, and apply Curation policies to prevent risky dependencies from entering your builds

JFrog Curation Implementation : Overview & Execution Plan

A practical, step-by-step execution plan to guide you through implementing JFrog Curation in your environment.
Click here to read the terms of service | Featured | JFrog.com | Cookies Settings