> For the complete documentation index, see [llms.txt](https://docs.connect.jfrog.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.connect.jfrog.io/features-new-ui/deployments/update-flow/vulnerability-scans.md).

# Vulnerability Scans

When you update software on your edge devices, you need to know that the content you are sending to the devices is secure. Your update flows, runs, and artifacts in JFrog Connect are automatically scanned for security vulnerabilities using JFrog Xray, JFrog’s solution for software composition analysis. Xray is integrated with Connect and JFrog Artifactory to provide an easy and proactive solution for identifying security vulnerabilities in open-source and other third-party software.

## Scan of Update Content

When you upload content (including Docker images, release bundles, and other artifacts) to Artifactory, Xray scans the content to analyze it for common vulnerabilities and exposures (CVEs). 

Once you have created an [update flow](/features-new-ui/deployments/update-flow.md) using the [Deploy Docker](/features-new-ui/deployments/update-flow/step-types/use-single-container.md), the [Artifacts](/features-new-ui/deployments/update-flow/step-types/download-artifacts.md), or the [Release Bundle](/features-new-ui/deployments/update-flow/step-types/download-release-bundle.md) step types, Connect displays information in the Update Flows tab about the results of the Xray scan for CVEs. (Connect uses the Artifactory path that you specified in the flow steps to locate the content and its corresponding Xray analysis.) 

<div align="left"><figure><img src="/files/yjUPnCwZdTmmQVz4VskK" alt=""><figcaption></figcaption></figure></div>

When you hover over the vulnerabilities in the column, a popup appears showing the number of vulnerabilities found at each severity level.

<div align="left"><figure><img src="/files/qfghWTv1dsvqxXzYyn9e" alt="" width="232"><figcaption></figcaption></figure></div>

### Vulnerability Drill-down

To get more information about the specific vulnerabilities, click the vulnerabilities (or the arrow) in the Vulnerabilities column. The [<mark style="color:blue;">Scans List page in Xray</mark>](https://jfrog.com/help/r/jfrog-security-documentation/xray-scan-results) appears, where you can view analysis info and go to details about specific vulnerabilities. (For example, to drill down to a specific vulnerability, click a section of the Vulnerabilities ring chart or click Applicable in the Applicability chart.)

<div align="left"><figure><img src="/files/iqRkEp4AEWNEF0LOPjxL" alt="" width="563"><figcaption></figcaption></figure></div>

### Vulnerabilities at Deployment Time

Connect also displays the current CVE Severities when the content is actually deployed.&#x20;

<div align="left"><figure><img src="/files/SYfDZ2uIB36SVQ5CQGvh" alt="" width="563"><figcaption></figcaption></figure></div>

Once the deployment is run, these are displayed in the Runs tab and serve as an indication of the vulnerability status of the content that was actually downloaded to your devices.&#x20;

<div align="left"><figure><img src="/files/jYaHyd1UxkRphAyqGyRN" alt=""><figcaption></figcaption></figure></div>

### Updates

The results of Xray scans can change over time, for example, if Xray discovers new vulnerabilities in the content. Therefore, Connect obtains new scan analysis information and refreshes the Vulnerabilities display in the Update Flow and Deployment tabs.&#x20;

The CVEs are updated as follows:

* CVEs in update flows (Update Flows tab) are updated every 24 hours, for 30 days after the flow has been created or deployed.
* CVEs in deployments (Runs tab) are updated every 24 hours, for 90 days after deployment.

## Feature Limitations

### When the Scan is Not Applicable

Xray will not run scans in the following conditions:

* The update flow uses [update parameters](/features-new-ui/deployments/update-flow/use-update-parameters.md). In this case, “Dynamic Update Flow” will appear in the Vulnerabilities column.
* The content is not in Artifactory, for example, if some other repository manager is used or the content is not in a repository at all. In this case, “Not Applicable - Source” will appear in the Vulnerabilities column.

### Release Bundles

* For release bundles, Connect supports global release bundles only. For example, bundles within Artifactory projects are not supported.
* For release bundles, Connect will get scan results only from the default (main) JFrog Platform.

## What’s Next?

Learn how to create an update flow that will [deploy containers](/features-new-ui/deployments/update-flow/step-types/use-single-container.md) to your connected devices.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.connect.jfrog.io/features-new-ui/deployments/update-flow/vulnerability-scans.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.