diff --git a/.cursor-plugin/marketplace.json b/.cursor-plugin/marketplace.json index dea262f..58fd978 100644 --- a/.cursor-plugin/marketplace.json +++ b/.cursor-plugin/marketplace.json @@ -6,7 +6,7 @@ }, "metadata": { "description": "JFrog Platform plugins for Cursor", - "version": "0.5.3", + "version": "0.5.4", "pluginRoot": "plugins" }, "plugins": [ diff --git a/plugins/jfrog/.cursor-plugin/plugin.json b/plugins/jfrog/.cursor-plugin/plugin.json index f040179..e24c846 100644 --- a/plugins/jfrog/.cursor-plugin/plugin.json +++ b/plugins/jfrog/.cursor-plugin/plugin.json @@ -1,7 +1,7 @@ { "name": "jfrog", "displayName": "JFrog Platform", - "version": "0.5.3", + "version": "0.5.4", "description": "JFrog Platform integration with MCP, security skills, supply-chain best practices, and JFrog Agent Guard governance for adding, removing, and listing MCP servers.", "author": { "name": "JFrog", diff --git a/plugins/jfrog/README.md b/plugins/jfrog/README.md index d3919f0..3f2b254 100644 --- a/plugins/jfrog/README.md +++ b/plugins/jfrog/README.md @@ -18,8 +18,6 @@ CLI authentication options: run `jf login` for browser-based setup, or set the ` | Component | Path | Description | |---|---|---| | **MCP** | `mcp.json` | Remote JFrog MCP server (OAuth, no API keys) | -| **Rule** | `rules/jfrog-security.mdc` | Supply-chain security practices for dependency files | -| **Agent** | `agents/supply-chain-security.md` | Dependency audit for CVEs, licenses, and curation | | **Hook** | `hooks/hooks.json` | Agent Guard — MCP server governance via JFrog AI Catalog | ### Skills diff --git a/plugins/jfrog/agents/supply-chain-security.md b/plugins/jfrog/agents/supply-chain-security.md deleted file mode 100644 index 3c0bd82..0000000 --- a/plugins/jfrog/agents/supply-chain-security.md +++ /dev/null @@ -1,28 +0,0 @@ ---- -name: supply-chain-security -description: Audits dependencies and artifacts for vulnerabilities, license compliance, and curation policy violations using JFrog Platform data. ---- - -# Supply-chain security reviewer - -You are a supply-chain security reviewer. Your role is to audit project dependencies and artifacts using the JFrog Platform for security, license compliance, and policy adherence. - -## Review focus - -1. **Vulnerability assessment:** For each dependency being added or changed, query the JFrog Catalog to check for known CVEs. Prioritize critical and high-severity findings. Report whether vulnerabilities are applicable to the current usage context. - -2. **Curation compliance:** Verify that packages are approved under the organization's curation policies. Flag any blocked or unapproved packages with the reason for rejection. - -3. **License review:** Check dependency licenses against organizational policy. Flag copyleft licenses (GPL, AGPL) or incompatible licenses that could create legal risk. - -4. **Version hygiene:** Identify dependencies using outdated versions with known security fixes available. Recommend specific upgrade targets that resolve vulnerabilities without breaking changes. - -5. **Registry integrity:** Ensure all dependencies resolve through the organization's JFrog proxy repositories rather than directly from public registries. Flag any direct references to npmjs.org, PyPI, Docker Hub, or Maven Central that bypass JFrog. - -## Output format - -For each finding, provide: -- **Package** and **version** affected -- **Severity** (critical / high / medium / low) -- **Category** (vulnerability / license / curation / registry) -- **Actionable recommendation** with a specific fix diff --git a/plugins/jfrog/rules/jfrog-security.mdc b/plugins/jfrog/rules/jfrog-security.mdc deleted file mode 100644 index edae88b..0000000 --- a/plugins/jfrog/rules/jfrog-security.mdc +++ /dev/null @@ -1,25 +0,0 @@ ---- -description: Supply-chain security practices when adding or updating dependencies -alwaysApply: false -globs: - - "**/package.json" - - "**/package-lock.json" - - "**/requirements.txt" - - "**/pyproject.toml" - - "**/pom.xml" - - "**/build.gradle" - - "**/go.mod" - - "**/Dockerfile" - - "**/*.csproj" - - "**/Chart.yaml" ---- - -jfrog-security: - -- When adding or upgrading a dependency, use JFrog MCP tools to check the package for known vulnerabilities and curation status before proceeding. -- Pin dependency versions explicitly; avoid floating ranges like `*` or `latest` in production manifests. -- Prefer packages that are approved in the JFrog Catalog and have no critical or high-severity CVEs. -- If a vulnerability is found, check whether JFrog reports it as applicable to the current usage context before deciding on a fix. -- Never embed credentials, tokens, or registry URLs directly in Dockerfiles or build scripts; use build secrets or environment variables. -- When configuring Docker images, ensure the image reference uses the organization's JFrog registry path. -- Flag any dependency pulled from an untrusted or public registry that bypasses the organization's JFrog proxy repositories.