AppTrust: Added Application key env var and passed it to scan-pull-request flow

go.mod

@@ -118,7 +118,7 @@ require (
 	gopkg.in/warnings.v0 v0.1.2 // indirect
 )
 
-replace github.com/jfrog/jfrog-cli-security => github.com/jfrog/jfrog-cli-security v1.19.1-0.20250625095826-3aba9954dfc9
+replace github.com/jfrog/jfrog-cli-security => github.com/eranturgeman/jfrog-cli-security v0.0.0-20250630111707-02606baf6aad
 
 // replace github.com/jfrog/jfrog-cli-core/v2 => github.com/jfrog/jfrog-cli-core/v2 dev
 

go.sum

@@ -55,6 +55,8 @@ github.com/elazarl/goproxy v1.7.2 h1:Y2o6urb7Eule09PjlhQRGNsqRfPmYI3KKQLFpCAV3+o
 github.com/elazarl/goproxy v1.7.2/go.mod h1:82vkLNir0ALaW14Rc399OTTjyNREgmdL2cVoIbS6XaE=
 github.com/emirpasic/gods v1.18.1 h1:FXtiHYKDGKCW2KzwZKx0iC0PQmdlorYgdFG9jPXJ1Bc=
 github.com/emirpasic/gods v1.18.1/go.mod h1:8tpGGwCnJ5H4r6BWwaV6OrWmMoPhUl5jm/FMNAnJvWQ=
+github.com/eranturgeman/jfrog-cli-security v0.0.0-20250630111707-02606baf6aad h1:Y4e5Py8UPzhVEUq+2S9yPqF2wNi2E99Gnm7oLvJItNE=
+github.com/eranturgeman/jfrog-cli-security v0.0.0-20250630111707-02606baf6aad/go.mod h1:XCm3fmoqCp+BmidG8AUwWpvDiwb2rubJ0gFr5rNtFtM=
 github.com/fatih/color v1.16.0 h1:zmkK9Ngbjj+K0yRhTVONQh1p/HknKYSlNT+vZCzyokM=
 github.com/fatih/color v1.16.0/go.mod h1:fL2Sau1YI5c0pdGEVCbKQbLXB6edEj1ZgiY4NijnWvE=
 github.com/forPelevin/gomoji v1.3.0 h1:WPIOLWB1bvRYlKZnSSEevLt3IfKlLs+tK+YA9fFYlkE=
@@ -130,8 +132,6 @@ github.com/jfrog/jfrog-cli-artifactory v0.3.2 h1:oBhiHBtWZCe4rG/WSwFWw3gqGnkcj3/
 github.com/jfrog/jfrog-cli-artifactory v0.3.2/go.mod h1:nRWIPgWl6IiZ7u5Ss40BL1YcL/naWwRgnrGllFBV0Ao=
 github.com/jfrog/jfrog-cli-core/v2 v2.59.0 h1:Oqi2+skTbJIRDVyhN8kJdCP8w3w1mzXS1/Mx5AIuMsU=
 github.com/jfrog/jfrog-cli-core/v2 v2.59.0/go.mod h1:1zZB8vn4yIh/hPj3ed82pI5IhKK9/SzeHsofMcknN68=
-github.com/jfrog/jfrog-cli-security v1.19.1-0.20250625095826-3aba9954dfc9 h1:whd88aGYFMSTaZVyObNIbDiPJXGII1Nbt0ce6dMI398=
-github.com/jfrog/jfrog-cli-security v1.19.1-0.20250625095826-3aba9954dfc9/go.mod h1:XCm3fmoqCp+BmidG8AUwWpvDiwb2rubJ0gFr5rNtFtM=
 github.com/jfrog/jfrog-client-go v1.28.1-0.20250623080810-85bcce028748 h1:299KpOItnMAdW2ZmWrqn4+j1dEemNWSX/PHq6C+IVQA=
 github.com/jfrog/jfrog-client-go v1.28.1-0.20250623080810-85bcce028748/go.mod h1:1v0eih4thdPA4clBo9TuvAMT25sGDr1IQJ81DXQ/lBY=
 github.com/jordan-wright/email v4.0.1-0.20210109023952-943e75fe5223+incompatible h1:jdpOPRN1zP63Td1hDQbZW73xKmzDvZHzVdNYxhnTMDA=

scanpullrequest/scanpullrequest.go

@@ -176,7 +176,7 @@ func createBaseScanDetails(repoConfig *utils.Repository, client vcsclient.VcsCli
 	}
 	scanDetails = utils.NewScanDetails(client, &repoConfig.Server, &repoConfig.Git).
 		SetJfrogVersions(repoConfig.XrayVersion, repoConfig.XscVersion).
-		SetResultsContext(repositoryCloneUrl, repoConfig.Watches, repoConfig.JFrogProjectKey, repoConfig.IncludeVulnerabilities, len(repoConfig.AllowedLicenses) > 0).
+		SetResultsContext(repositoryCloneUrl, repoConfig.Watches, repoConfig.JFrogProjectKey, repoConfig.JfrogApplicationKey, repoConfig.IncludeVulnerabilities, len(repoConfig.AllowedLicenses) > 0).
 		SetFixableOnly(repoConfig.FixableOnly).
 		SetConfigProfile(repoConfig.ConfigProfile).
 		SetSkipAutoInstall(repoConfig.SkipAutoInstall).

scanrepository/scanrepository.go

@@ -131,7 +131,8 @@ func (cfp *ScanRepositoryCmd) setCommandPrerequisites(repository *utils.Reposito
 	// Set the scan details
 	cfp.scanDetails = utils.NewScanDetails(client, &repository.Server, &repository.Git).
 		SetJfrogVersions(cfp.XrayVersion, cfp.XscVersion).
-		SetResultsContext(repositoryCloneUrl, repository.Watches, repository.JFrogProjectKey, repository.IncludeVulnerabilities, len(repository.AllowedLicenses) > 0).
+		// AppTrust is currently not supported in ScanRepository command, therefore we pass an empty applicationKey
+		SetResultsContext(repositoryCloneUrl, repository.Watches, repository.JFrogProjectKey, "", repository.IncludeVulnerabilities, len(repository.AllowedLicenses) > 0).
 		SetFixableOnly(repository.FixableOnly).
 		SetConfigProfile(repository.ConfigProfile).
 		SetSkipAutoInstall(repository.SkipAutoInstall).

testdata/config/frogbot-config-test-unmarshal.yml

@@ -35,3 +35,4 @@
         - watch-1
         - watch-2
       jfrogProjectKey: proj
+      jfrogApplicationKey: app-key

utils/consts.go

@@ -33,6 +33,7 @@ const (
 	JFrogTokenEnv            = "JF_ACCESS_TOKEN"
 	JfrogUseConfigProfileEnv = "JF_USE_CONFIG_PROFILE"
 	JfrogConfigProfileEnv    = "JF_CONFIG_PROFILE"
+	JfrogApplicationKey      = "JF_APPLICATION_KEY"
 
 	// Git environment variables
 	GitProvider                      = "JF_GIT_PROVIDER"

utils/params.go

@@ -294,6 +294,7 @@ type JFrogPlatform struct {
 	Watches                []string `yaml:"watches,omitempty"`
 	IncludeVulnerabilities bool     `yaml:"includeVulnerabilities,omitempty"`
 	JFrogProjectKey        string   `yaml:"jfrogProjectKey,omitempty"`
+	JfrogApplicationKey    string   `yaml:"jfrogApplicationKey,omitempty"` // TODO eran verify required json name
 }
 
 func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) {
@@ -302,6 +303,8 @@ func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) {
 		if jp.Watches, err = readArrayParamFromEnv(jfrogWatchesEnv, WatchesDelimiter); err != nil && !e.IsMissingEnvErr(err) {
 			return
 		}
+		// We don't want to return an error from this function if the error is of type ErrMissingEnv because JFrogPlatform environment variables are not mandatory.
+		err = nil
 	}
 	if jp.JFrogProjectKey == "" {
 		if err = readParamFromEnv(jfrogProjectEnv, &jp.JFrogProjectKey); err != nil && !e.IsMissingEnvErr(err) {
@@ -310,6 +313,13 @@ func (jp *JFrogPlatform) setDefaultsIfNeeded() (err error) {
 		// We don't want to return an error from this function if the error is of type ErrMissingEnv because JFrogPlatform environment variables are not mandatory.
 		err = nil
 	}
+	if jp.JfrogApplicationKey == "" {
+		if err = readParamFromEnv(JfrogApplicationKey, &jp.JfrogApplicationKey); err != nil && !e.IsMissingEnvErr(err) {
+			return
+		}
+		// We don't want to return an error from this function if the error is of type ErrMissingEnv because JFrogPlatform environment variables are not mandatory.
+		err = nil
+	}
 	if !jp.IncludeVulnerabilities {
 		if jp.IncludeVulnerabilities, err = getBoolEnv(IncludeVulnerabilitiesEnv, false); err != nil {
 			return
@@ -543,7 +553,7 @@ func getConfigFileContent(gitClient vcsclient.VcsClient, gitParamsFromEnv *Git,
 	return configFileContent, err
 }
 
-// BuildRepoAggregator receives the content of a frogbot-config.yml file, along with the Git (built from environment variables) and ServerDetails parameters.
+// Receives the content of a frogbot-config.yml file, along with the Git (built from environment variables) and ServerDetails parameters.
 // Returns a RepoAggregator instance with all the defaults and necessary fields.
 func BuildRepoAggregator(xrayVersion, xscVersion string, gitClient vcsclient.VcsClient, configFileContent []byte, gitParamsFromEnv *Git, server *coreconfig.ServerDetails, commandName string) (resultAggregator RepoAggregator, err error) {
 	var cleanAggregator RepoAggregator
@@ -566,7 +576,7 @@ func BuildRepoAggregator(xrayVersion, xscVersion string, gitClient vcsclient.Vcs
 	return
 }
 
-// unmarshalFrogbotConfigYaml uses the yaml.Unmarshaler interface to parse the yamlContent.
+// Uses the yaml.Unmarshaler interface to parse the yamlContent.
 // If there is no config file, the function returns a RepoAggregator with an empty repository.
 func unmarshalFrogbotConfigYaml(yamlContent []byte) (result RepoAggregator, err error) {
 	if len(yamlContent) == 0 {

utils/params_test.go

@@ -502,6 +502,7 @@ func TestFrogbotConfigAggregator_unmarshalFrogbotConfigYaml(t *testing.T) {
 	assert.ElementsMatch(t, []string{"a/b", "b/c"}, thirdRepoProject.WorkingDirs)
 	assert.ElementsMatch(t, []string{"watch-1", "watch-2"}, thirdRepo.Watches)
 	assert.Equal(t, "proj", thirdRepo.JFrogProjectKey)
+	assert.Equal(t, "app-key", thirdRepo.JfrogApplicationKey)
 }
 
 func TestVerifyValidApiEndpoint(t *testing.T) {

utils/scandetails.go

@@ -74,8 +74,8 @@ func (sc *ScanDetails) SetProject(project *Project) *ScanDetails {
 	return sc
 }
 
-func (sc *ScanDetails) SetResultsContext(httpCloneUrl string, watches []string, jfrogProjectKey string, includeVulnerabilities, includeLicenses bool) *ScanDetails {
-	sc.ResultContext = audit.CreateAuditResultsContext(sc.ServerDetails, sc.XrayVersion, watches, sc.RepoPath, jfrogProjectKey, httpCloneUrl, includeVulnerabilities, includeLicenses, false)
+func (sc *ScanDetails) SetResultsContext(httpCloneUrl string, watches []string, jfrogProjectKey string, jfrogApplicationKey string, includeVulnerabilities, includeLicenses bool) *ScanDetails {
+	sc.ResultContext = audit.CreateAuditResultsContext(sc.ServerDetails, sc.XrayVersion, watches, sc.RepoPath, jfrogProjectKey, httpCloneUrl, jfrogApplicationKey, includeVulnerabilities, includeLicenses, false)
 	return sc
 }