GITBOOK-125: change request with no subject merged in GitBook

Author: linad87

jfrog-applications/SUMMARY.md

@@ -70,7 +70,12 @@
     * [Setup Frogbot Using JFrog Pipelines](frogbot/setup-frogbot-using-jfrog-pipelines.md)
     * [Setup Frogbot Using GitLab CI](frogbot/setup-frogbot-using-gitlab-ci.md)
     * [Setup Frogbot Using Azure Pipelines](frogbot/setup-frogbot-using-azure-pipelines.md)
-  * [Scan Pull Requests](frogbot/scan-pull-requests.md)
+  * [Scan Pull Requests](jfrog-applications/frogbot/scan-pull-requests/README.md)
+    * [Scan Github Pull Request](jfrog-applications/frogbot/scan-pull-requests/scan-github-pull-request.md)
+    * [Scan Gitlab Pull Request](jfrog-applications/frogbot/scan-pull-requests/scan-gitlab-pull-request.md)
+    * [Scan Azure Repos Pull Request](jfrog-applications/frogbot/scan-pull-requests/scan-azure-repos-pull-request.md)
+    * [Scan Bitbucket Server Pull Request](jfrog-applications/frogbot/scan-pull-requests/scan-bitbucket-server-pull-request.md)
+    * [Pull Request Scan Results](jfrog-applications/frogbot/scan-pull-requests/pull-request-scan-results.md)
   * [Scan Repositories](frogbot/scan-repositories.md)
   * [Frogbot Badge](frogbot/frogbot-badge.md)
 

jfrog-applications/frogbot/scan-pull-requests.md

@@ -1,6 +1,6 @@
 # Setup Frogbot Using Azure Pipelines
 
-**Important Notice**: For Scanning Pull Requests, it is advisable to refrain from setting up Frogbot using Azure Pipelines for open source projects. For further details, please refer to the [👮 Security Note for Pull Requests Scanning](./scan-pull-requests.md#security-note-for-pull-requests-scanning).
+**Important Notice**: For Scanning Pull Requests, it is advisable to refrain from setting up Frogbot using Azure Pipelines for open source projects. For further details, please refer to the [👮 Security Note for Pull Requests Scanning](../jfrog-applications/frogbot/scan-pull-requests/#security-note-for-pull-requests-scanning).
 
 To install Frogbot on Azure Repos repositories, follow these steps.
 

jfrog-applications/frogbot/setup-frogbot-using-azure-pipelines.md

@@ -1,6 +1,6 @@
 # Setup Frogbot Using Jenkins
 
-**Important Notice**: For Scanning Pull Requests, it is advisable to refrain from setting up Frogbot using Jenkins for open source projects. For further details, please refer to the [👮 Security Note for Pull Requests Scanning](scan-pull-requests.md#security-note-for-pull-requests-scanning).
+**Important Notice**: For Scanning Pull Requests, it is advisable to refrain from setting up Frogbot using Jenkins for open source projects. For further details, please refer to the [👮 Security Note for Pull Requests Scanning](../jfrog-applications/frogbot/scan-pull-requests/#security-note-for-pull-requests-scanning).
 
 #### 🖥️ Follow these steps to install Frogbot on Jenkins
 
@@ -489,11 +489,11 @@
             // Set the list of allowed licenses, The full list of licenses can be found in: 
             // https://github.com/jfrog/frogbot/blob/master/docs/licenses.md
             // JF_ALLOWED_LICENSES: "MIT, Apache-2.0"
-    
+
             // [Optional]
             // Avoid adding extra info to pull request comments. that isn't related to the scan findings. 
             // JF_AVOID_EXTRA_MESSAGES: "TRUE"
-    
+
             // [Optional]
             // Add a title to pull request comments generated by Frogbot. 
             // JF_PR_COMMENT_TITLE: ""

jfrog-applications/frogbot/setup-frogbot-using-jenkins.md

@@ -1,6 +1,6 @@
 # Setup Frogbot Using JFrog Pipelines
 
-**Important Notice**: For Scanning Pull Requests, it is advisable to refrain from setting up Frogbot using JFrog Pipelines for open source projects. For further details, please refer to the [👮 Security Note for Pull Requests Scanning](./scan-pull-requests.md#security-note-for-pull-requests-scanning).
+**Important Notice**: For Scanning Pull Requests, it is advisable to refrain from setting up Frogbot using JFrog Pipelines for open source projects. For further details, please refer to the [👮 Security Note for Pull Requests Scanning](../jfrog-applications/frogbot/scan-pull-requests/#security-note-for-pull-requests-scanning).
 
 * Make sure you have the connection details of your JFrog Platform.
 * Inside JFrog Pipelines, save the JFrog connection details as a [JFrog Platform Access Token Integration](https://www.jfrog.com/confluence/display/JFROG/JFrog+Platform+Access+Token+Integration) named **jfrogPlatform**.

jfrog-applications/frogbot/setup-frogbot-using-jfrog-pipelines.md

@@ -0,0 +1,16 @@
+# Scan Pull Requests
+
+### General
+
+Frogbot uses [JFrog Xray](https://jfrog.com/xray/) (version 3.29.0 and above is required) to scan your pull requests. It adds the scan results as a comment on the pull request. If no new vulnerabilities are found, Frogbot will also add a comment, confirming this.
+
+The following features use the package manager used for building the project:
+
+* Software Composition Analysis (SCA)
+* Vulnerability Contextual Analysis
+
+### Security note for pull requests scanning
+
+When installing Frogbot using JFrog Pipelines, Jenkins, and Azure DevOps, Frogbot will not wait for a maintainer's approval before scanning newly opened pull requests. Using Frogbot with these platforms is therefore not recommended for open-source projects.
+
+When installing Frogbot using GitHub Actions and GitLab however, Frogbot will initiate the scan only after it is approved by a maintainer of the project. The goal of this review is to ensure that external code contributors don't introduce malicious code as part of the pull request. Since this review step is enforced by Frogbot when used with GitHub Actions and GitLab, it is safe to be used for open-source projects.

jfrog-applications/jfrog-applications/frogbot/scan-pull-requests/README.md

@@ -0,0 +1,53 @@
+# Pull Request Scan Results
+
+### Scan results
+
+Frogbot adds the scan results to the pull request in the following format:
+
+#### 👍 No issues
+
+If no new vulnerabilities are found, Frogbot automatically adds the following comment to the pull request:
+
+[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/noVulnerabilityBannerPR.png)](pull-request-scan-results.md#-no-issues)
+
+#### 👎 Issues were found
+
+**Software Composition Analysis (SCA)**
+
+If new vulnerabilities are found, Frogbot adds them as a comment on the pull request. For example:
+
+[![](https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/vulnerabilitiesBannerPR.png)](pull-request-scan-results.md#-issues)
+
+**VULNERABLE DEPENDENCIES**
+
+|                                                               SEVERITY                                                              | CONTEXTUAL ANALYSIS | DIRECT DEPENDENCIES | IMPACTED DEPENDENCY |       FIXED VERSIONS      |
+| :---------------------------------------------------------------------------------------------------------------------------------: | :-----------------: | :-----------------: | :-----------------: | :-----------------------: |
+| <p><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableCritical.png" alt=""><br>Critical</p> |    Not Applicable   |    minimist:1.2.5   |    minimist:1.2.5   | <p>[0.2.4]<br>[1.2.6]</p> |
+|   <p><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/applicableHighSeverity.png" alt=""><br>High</p>  |      Applicable     |  protobufjs:6.11.2  |  protobufjs:6.11.2  |         \[6.11.3]         |
+|     <p><img src="https://raw.githubusercontent.com/jfrog/frogbot/master/resources/v2/notApplicableHigh.png" alt=""><br>High</p>     |    Not Applicable   |    lodash:4.17.19   |    lodash:4.17.19   |         \[4.17.21]        |
+
+**Vulnerability Contextual Analysis**
+
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/pr-vuln-contextual-analysis.png)
+
+**Static Application Security Testing (SAST)**
+
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/pr-sast.png)
+
+**Infrastructure as Code scans (IaC)**
+
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/pr-iac.png)
+
+**Validate Allowed Licenses**
+
+When Frogbot scans newly opened pull requests, it checks the licenses of any new direct project dependencies introduced by the pull request. If Frogbot identifies licenses that are not listed in a predefined set of approved licenses, it appends a comment to the pull request providing this information. The list of allowed licenses is set up as a variable within the Frogbot workflow.
+
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/violated-licenses.png)
+
+#### Secrets Detection
+
+When Frogbot detects secrets that have been inadvertently exposed within the code of a pull request, it promptly triggers an email notification to the user who pushed the corresponding commit. The email address utilized for this notification is sourced from the committer's Git profile configuration. Moreover, Frogbot offers the flexibility to direct the email notification to an extra email address if desired. To activate email notifications, it is necessary to configure your SMTP server details as variables within your Frogbot workflows.
+
+![](https://raw.githubusercontent.com/jfrog/frogbot/master/images/secrets-email.png)
+
+xx

jfrog-applications/jfrog-applications/frogbot/scan-pull-requests/pull-request-scan-results.md

@@ -0,0 +1,11 @@
+# Scan Azure Repos Pull Request
+
+After you create a new pull request, Frogbot will automatically scan it.
+
+_**NOTE:**_ The scan output will include only new vulnerabilities added by the pull request. Vulnerabilities that aren't new, and existed in the code before the pull request was created, will not be included in the report. In order to include all the vulnerabilities in the report, including older ones that weren't added by this PR, use the includeAllVulnerabilities parameter in the frogbot-config.yml file.
+
+The Frogbot Azure Repos scan workflow is:
+
+1. The developer opens a pull request.
+2. Frogbot scans the pull request and adds a comment with the scan results.
+3. Frogbot can be triggered again following new commits, by adding a comment with the `rescan` text.

jfrog-applications/jfrog-applications/frogbot/scan-pull-requests/scan-azure-repos-pull-request.md

@@ -0,0 +1,11 @@
+# Scan Bitbucket Server Pull Request
+
+After you create a new pull request, Frogbot will automatically scan it.
+
+_**NOTE:**_ The scan output will include only new vulnerabilities added by the pull request. Vulnerabilities that aren't new, and existed in the code before the pull request was created, will not be included in the report. In order to include all of the vulnerabilities in the report, including older ones that weren't added by this PR, use the includeAllVulnerabilities parameter in the frogbot-config.yml file.
+
+The Frogbot scan on Bitbucket Server workflow:
+
+1. The developer opens a pull request.
+2. Frogbot scans the pull request and adds a comment with the scan results.
+3. Frogbot can be triggered again following new commits, by adding a comment with the `rescan` text.