Back to Details

jfrog

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

JFrog Skill

JFrog技能

The foundational skill for all JFrog agent interactions. Covers JFrog Platform concepts, 
jf
CLI setup and authentication, and intent routing to workflow skills.
Interact with the JFrog Platform through the JFrog CLI (
jf
) and, where the CLI falls short, through REST APIs and GraphQL. In code examples below, 
<skill_path>
refers to this skill's directory and is resolved automatically by the agent. If the agent does not resolve it, determine the path by locating this SKILL.md file and using its parent directory.
所有JFrog Agent交互的基础技能。涵盖JFrog平台概念、
jf
CLI的设置与认证,以及工作流技能的意图路由。
通过JFrog CLI(
jf
)与JFrog平台交互,当CLI功能不足时,可通过REST API和GraphQL补充。以下代码示例中,
<skill_path>
指此技能的目录,Agent会自动解析该路径。若Agent未自动解析,可通过定位此SKILL.md文件并使用其父目录来确定路径。

Prerequisites

前置条件

The following tools must be available on 
PATH
:
ToolPurpose
jq
JSON parsing of CLI and API output
All HTTP traffic to JFrog Platform APIs goes through the 
jf
CLI itself (
jf api
, see Invoking platform APIs with 
jf api
 below) — no standalone 
curl
is required for any JFrog interaction.
Runtime permission for JFrog calls. All 
jf
calls that touch the network need an outbound-HTTPS escalation from the agent runtime. The 
~/.jfrog/
credential save (
jf config add
during login) additionally needs a filesystem-write escalation.
RuntimeNetworkNetwork + 
~/.jfrog/
write
Cursor
required_permissions: ["full_network"]
required_permissions: ["all"]
Claude Code
allowed-tools: Bash(jf:*)
+ host allowlist		same + filesystem allowlist
OtherConfigure at the runtime/sandbox layersame
If 
jf
exits 1 with empty output, the runtime's network gate is the first thing to check — re-run with the appropriate escalation above.
以下工具必须在
PATH
中可用:
工具用途
jq
解析CLI和API输出的JSON数据
所有发往JFrog Platform API的HTTP流量均通过
jf
CLI本身(
jf api
,见下文的【通过
jf api
调用平台API】)传输——任何JFrog交互都无需单独使用
curl
JFrog调用的运行时权限:所有涉及网络的
jf
调用都需要Agent运行时的出站HTTPS权限提升。保存
~/.jfrog/
凭证(登录期间执行
jf config add
)还需要文件系统写入权限提升。
运行环境网络权限要求网络+
~/.jfrog/
写入权限要求
Cursor
required_permissions: ["full_network"]
required_permissions: ["all"]
Claude Code
allowed-tools: Bash(jf:*)
+ 主机白名单		同上+文件系统白名单
其他环境在运行时/沙箱层配置同上
jf
执行返回状态码1且输出为空,首先检查运行时的网络网关——按照上述要求重新运行并获取权限提升。

Environment check

环境检查

Before your first JFrog operation in a session, run the environment check and remember its stdout as 
<UA>
for the rest of the session:
bash
bash <skill_path>/scripts/check-environment.sh <model-slug>
在会话中首次执行JFrog操作前,运行环境检查并记住其标准输出作为
<UA>
,供本次会话后续使用:
bash
bash <skill_path>/scripts/check-environment.sh <model-slug>

stdout (one line): model/<model-slug> jfrog-skills/<version> jfrog-cli-go/<cli-version>

标准输出(单行):model/<model-slug> jfrog-skills/<version> jfrog-cli-go/<cli-version>

stderr: JSON state (cached 24h at ${JFROG_CLI_HOME_DIR:-$HOME/.jfrog}/skills-cache/jfrog-skill-state.json)

标准错误输出:JSON状态(缓存24小时,路径为${JFROG_CLI_HOME_DIR:-$HOME/.jfrog}/skills-cache/jfrog-skill-state.json)


Pass the precise underlying-model slug with version: `opus-4.7`,
`sonnet-4.5`, `gpt-5-codex`, `gemini-2.5-pro`, `composer-2-fast`. Cursor's
Composer product slug **is** the canonical id — use it as-is. Do **not**
pass harness/role names (`subagent`, `agent`, `assistant`) or bare family
names (`claude`, `gpt`); subagents inherit the parent's slug. If genuinely
unknown, pass `unknown`.

传入包含版本的精确底层模型标识:`opus-4.7`、`sonnet-4.5`、`gpt-5-codex`、`gemini-2.5-pro`、`composer-2-fast`。Cursor的Composer产品标识即为标准ID——直接使用即可。请勿传入角色/ harness名称(如`subagent`、`agent`、`assistant`)或仅传入系列名称(如`claude`、`gpt`);子Agent会继承父Agent的标识。若确实未知,传入`unknown`。

Export 
JFROG_CLI_USER_AGENT
once per bash invocation

每次bash调用时导出一次
JFROG_CLI_USER_AGENT

At the top of every bash invocation that runs 
jf
, export 
<UA>
once; all 
jf
calls in that invocation pick it up:
bash
export JFROG_CLI_USER_AGENT='<UA>'
jf config show
jf api /artifactory/api/system/version
Do not repeat the assignment per 
jf
call (
JFROG_CLI_USER_AGENT='<UA>' jf …
on every line). Examples elsewhere in this skill and in 
references/*.md
omit the export for readability — the rule is global. When launching a subagent, pass 
<UA>
in its prompt; subagents do not re-run the script.
ExitMeaning
0Cache fresh — proceed
1Cache refreshed — proceed
2
jf
not installed — STOP, ask the user to install
3
jf
below minimum version — STOP, ask the user to upgrade
On exit 2 or 3, do not fall back to 
jf rt curl
, raw 
curl
, or other workarounds — see 
references/jfrog-cli-install-upgrade.md
. Re-run with 
--force
only when the user explicitly asks to refresh or install/upgrade.
在每个运行
jf
的bash调用顶部,导出一次
<UA>
;该调用中的所有
jf
命令都会自动读取此环境变量:
bash
export JFROG_CLI_USER_AGENT='<UA>'
jf config show
jf api /artifactory/api/system/version
请勿在每个
jf
调用中重复赋值(即不要每行都写
JFROG_CLI_USER_AGENT='<UA>' jf …
)。为便于阅读,本技能及
references/*.md
中的示例省略了导出步骤,但此规则为全局生效。启动子Agent时,在其提示中传入
<UA>
;子Agent无需重新运行该脚本。
退出码含义
0缓存有效——继续执行
1缓存已刷新——继续执行
2
jf
未安装——停止,请用户安装
3
jf
版本低于最低要求——停止,请用户升级
若退出码为2或3,请勿回退使用
jf rt curl
、原生
curl
或其他替代方案——请参考
references/jfrog-cli-install-upgrade.md
。仅当用户明确要求刷新或安装/升级时,才添加
--force
参数重新运行。

JSON parsing (
jq
)

JSON解析(
jq

Use 
jq
 for all JSON parsing of CLI and API output (pipes, 
-r
, filters).
所有CLI和API输出的JSON解析均需使用**
jq
**(包括管道、
-r
参数、过滤器)。

~/.jfrog/skills-cache/
— allowed files only

~/.jfrog/skills-cache/
— 仅允许存放指定文件

${JFROG_CLI_HOME_DIR:-$HOME/.jfrog}/skills-cache/
is not a general scratch or temp directory. Use it only for these two artifacts:
  1. jfrog-skill-state.json
     — written by 
    scripts/check-environment.sh
    (24-hour CLI check cache).
  2. onemodel-schema-${JFROG_SERVER_ID}.graphql
     — cached OneModel supergraph schema (see 
    references/onemodel-graphql.md
    ).
Do not save HTTP response bodies, GraphQL query results, ad-hoc JSON, reports, or any other temporary files under 
skills-cache/
. Write those to a host temp path instead (for example 
/tmp/<name>-$$.json
or 
mktemp -d
), echo the path when a follow-up Shell step must read the file — same pattern as Preserving command output below.
${JFROG_CLI_HOME_DIR:-$HOME/.jfrog}/skills-cache/
并非通用临时目录。仅允许在此存放以下两类文件:
  1. jfrog-skill-state.json
     — 由
    scripts/check-environment.sh
    生成(24小时CLI检查缓存)。
  2. onemodel-schema-${JFROG_SERVER_ID}.graphql
     — 缓存的OneModel超级图模式(参考
    references/onemodel-graphql.md
    )。
请勿在此目录下保存HTTP响应体、GraphQL查询结果、临时JSON、报告或其他临时文件。请将这些文件写入主机临时路径(例如
/tmp/<name>-$$.json
mktemp -d
),当后续Shell步骤需要读取该文件时,输出其路径——与下文的【保存命令输出】模式一致。

Cautious execution

谨慎执行

Do not run commands speculatively. Before executing any JFrog CLI command or API call:
  1. Confirm the operation is needed to fulfill the user's request. If the request is ambiguous or could refer to multiple systems (e.g. "builds" could mean Artifactory build-info or CI/CD pipeline runs), ask the user for clarification instead of guessing. Never fetch data from the wrong system — a wrong answer is worse than asking a question.
  2. Resolve the target server using the Server selection rules below — there must be no ambiguity about which server is used
  3. For mutating operations (create, update, delete, upload), confirm with the user unless the intent is clearly implied
  4. Prefer read operations first to understand current state before making changes
  5. Never invent preparatory mutations. If the requested operation fails because a precondition is not met (artifact missing from the specified repo, repository does not exist, package not at the expected location, build not found), stop and report the gap to the user. Do not perform copy, move, upload, create-repo, or any other mutating operation to satisfy the precondition unless the user explicitly asks for it. These "helper" mutations can have cascading effects the user has not considered — virtual repository resolution changes, storage quota consumption, replication triggers, Xray re-indexing, or permission propagation.
请勿随意执行命令。在执行任何JFrog CLI命令或API调用前:
  1. 确认该操作是满足用户请求所必需的。若请求存在歧义或可能涉及多个系统(例如"builds"可能指Artifactory构建信息或CI/CD流水线运行),请向用户确认而非猜测。切勿从错误的系统获取数据——错误的答案比提问更糟糕。
  2. 根据下文的【服务器选择规则】确定目标服务器——必须明确使用哪台服务器
  3. 对于变更操作(创建、更新、删除、上传),除非意图非常明确,否则请向用户确认
  4. 优先执行读取操作,在进行变更前先了解当前状态
  5. 切勿自行执行准备性变更。若请求的操作因前置条件未满足而失败(指定仓库中缺少制品、仓库不存在、包不在预期位置、未找到构建),停止操作并向用户报告问题。除非用户明确要求,否则请勿执行复制、移动、上传、创建仓库或其他变更操作来满足前置条件。这些"辅助"变更可能会带来用户未考虑到的连锁反应——虚拟仓库解析规则变更、存储配额消耗、触发复制、Xray重新索引或权限传播。

Server selection rules (mandatory)

服务器选择规则(强制要求)

Single-server invariant. Every 
jf
call MUST pass 
--server-id <SID>
(default resolved below); for one user request, all 
jf
calls use exactly one server-id. A wrong answer from the wrong server is worse than a stop-and-ask.
MUST NOT retry on a second configured server after 401/403/404, empty, or partial results; MUST NOT infer multi-server intent from "my"/"our" or from seeing extra entries in 
jf config show
. Override: only when the user explicitly names another id ("on 
<id>
, …", "use 
<id>
", "compare 
<a>
and 
<b>
") — inferred intent is not an override.
单服务器不变原则:每个
jf
调用必须传入
--server-id <SID>
(默认值解析见下文);针对单个用户请求,所有
jf
调用必须使用完全相同的服务器ID。从错误服务器返回的错误答案比停止操作更糟糕。
禁止在收到401/403/404、空结果或部分结果后重试另一台已配置的服务器;禁止从"my"/"our"等词汇或
jf config show
中的额外条目推断多服务器意图。例外情况:仅当用户明确指定另一ID(例如"在
<id>
上..."、"使用
<id>
"、"比较
<a>
<b>
")时——推断的意图不算例外。

Resolve the default once per session

会话开始时解析一次默认服务器

Before your first 
jf
call, resolve the default server-id and remember it as 
<SID>
for the rest of the session — same pattern as 
<UA>
:
bash
jf config show 2>/dev/null \
  | awk '/^Server ID:/{id=$NF} /^Default:[[:space:]]*true/{print id; exit}'
首次执行
jf
调用前,解析默认服务器ID并记住
<SID>
,供本次会话后续使用——与
<UA>
的使用模式一致:
bash
jf config show 2>/dev/null \
  | awk '/^Server ID:/{id=$NF} /^Default:[[:space:]]*true/{print id; exit}'

stdout: the default server-id; if empty, stop and ask which to use

标准输出:默认服务器ID;若为空,停止操作并询问用户使用哪台服务器


Pass `--server-id <SID>` to every subsequent `jf` call. The flag goes
**after** the subcommand name, not after `jf` itself:

- ✅ `jf api --server-id <SID> /artifactory/api/system/version`
- ✅ `jf rt ping --server-id <SID>`
- ❌ `jf --server-id <SID> api /…` — fails with `flag provided but not defined`

When launching a subagent, pass `<SID>` in its prompt — subagents do not
re-resolve. Examples elsewhere in this skill and in `references/*.md` omit
`--server-id` for readability; the rule is global, same as
`JFROG_CLI_USER_AGENT`.

后续所有`jf`调用均需传入`--server-id <SID>`。该参数需放在子命令名称之后,而非`jf`本身之后:

- ✅ `jf api --server-id <SID> /artifactory/api/system/version`
- ✅ `jf rt ping --server-id <SID>`
- ❌ `jf --server-id <SID> api /…` — 会因`flag provided but not defined`失败

启动子Agent时,在其提示中传入`<SID>`;子Agent无需重新解析。为便于阅读,本技能及`references/*.md`中的示例省略了`--server-id`参数,但此规则为全局生效,与`JFROG_CLI_USER_AGENT`规则一致。

On any error, stop — never switch

任何错误发生时,停止操作——切勿切换服务器

If a 
jf
call returns 401/403, 404, network error, timeout, or any other failure, stop with no further 
jf
calls and respond:
<server-id>
returned 
<code>
for 
<endpoint>
: 
<short reason>
. Other configured server(s): 
<list>
— I won't query them without your explicit instruction. How would you like to proceed?
jf
调用返回401/403、404、网络错误、超时或其他失败,停止所有后续
jf
调用并回复:
<server-id>
针对
<endpoint>
返回
<code>
<简短原因>
。其他已配置服务器:
<列表>
——未经您的明确指示,我不会查询这些服务器。您希望如何继续?

When to read reference files

何时参考参考文件

Load the most specific file for the task at hand. Avoid loading more than 2-3 reference files for a single operation — start with the most relevant one and only load additional files if the first doesn't cover the need. File sizes vary (~25–640 lines); larger files are noted with approximate line counts below.
加载与当前任务最匹配的参考文件。单个操作避免加载超过2-3个参考文件——从最相关的文件开始,仅当第一个文件无法满足需求时再加载其他文件。文件大小各不相同(约25–640行);较大的文件会在下文标注大致行数。

Cross-domain

跨领域

  • Disambiguating a JFrog entity, understanding entity types, or planning operations that span multiple products: read 
    references/jfrog-entity-index.md
    , then follow pointers to the relevant domain file
  • Looking up documentation URLs: read 
    references/jfrog-url-references.md
  • 区分JFrog实体、理解实体类型,或规划跨多个产品的操作:阅读
    references/jfrog-entity-index.md
    ,然后根据指引阅读相关领域文件
  • 查找文档URL:阅读
    references/jfrog-url-references.md

Artifactory

Artifactory

  • Repository types, artifacts, builds, properties, or permission targets (concepts): read 
    references/artifactory-entities.md
    (~220 lines)
  • Stored packages, package versions, version locations, or the metadata layer over Artifactory (concepts): read 
    references/stored-packages-entities.md
    (~165 lines)
  • Repo, file, build, permission, user/group, or replication operations: read 
    references/artifactory-operations.md
    (for listing builds use AQL with 
    limit
    /
    offset
    — see § Listing build names; for full build detail use 
    GET /api/build/<name>/<number>?project=
    — see § Retrieving full build info)
  • AQL queries: read 
    references/artifactory-aql-syntax.md
    (~585 lines)
  • Artifactory REST beyond the CLI, structured JSON templates (replacing interactive wizards), or any Artifactory API gap: read 
    references/artifactory-api-gaps.md
    (~220 lines)
  • 仓库类型、制品、构建、属性或权限目标(概念):阅读
    references/artifactory-entities.md
    (约220行)
  • 存储的包、包版本、版本位置或Artifactory元数据层(概念):阅读
    references/stored-packages-entities.md
    (约165行)
  • 仓库、文件、构建、权限、用户/用户组或复制操作:阅读
    references/artifactory-operations.md
    列出构建需使用带
    limit
    /
    offset
    的AQL——参考【列出构建名称】章节;获取完整构建详情需使用
    GET /api/build/<name>/<number>?project=
    ——参考【获取完整构建信息】章节)
  • AQL查询:阅读
    references/artifactory-aql-syntax.md
    (约585行)
  • CLI未覆盖的Artifactory REST接口、结构化JSON模板(替代交互式向导)或任何Artifactory API空白:阅读
    references/artifactory-api-gaps.md
    (约220行)

Xray & security

Xray & 安全

  • Watches, policies, violations, components, or vulnerability scanning (concepts): read 
    references/xray-entities.md
    (~290 lines)
  • Exposures scanning results (secrets, IaC, service misconfigurations, application security risks): read 
    references/xray-entities.md
    § Exposures (Advanced Security)
  • Curation audit events (approved/blocked packages, dry-run policy evaluations, curation export): read 
    references/xray-entities.md
    § Curation audit events
  • 监控、策略、违规、组件或漏洞扫描(概念):阅读
    references/xray-entities.md
    (约290行)
  • 暴露扫描结果(密钥、IaC、服务配置错误、应用安全风险):阅读
    references/xray-entities.md
    中的【暴露(高级安全)】章节
  • 治理审计事件(批准/拦截包、策略评估试运行、治理导出):阅读
    references/xray-entities.md
    中的【治理审计事件】章节

Release lifecycle & distribution

发布生命周期与分发

  • Release bundles, lifecycle stages, distribution, or evidence (concepts): read 
    references/release-lifecycle-entities.md
    (~180 lines)
  • Applications, application versions, releasables, promotions, or AppTrust (concepts): read 
    references/apptrust-entities.md
    (~155 lines)
  • 发布包、生命周期阶段、分发或证据(概念):阅读
    references/release-lifecycle-entities.md
    (约180行)
  • 应用、应用版本、可发布项、晋升或AppTrust(概念):阅读
    references/apptrust-entities.md
    (约155行)

Catalog

目录

  • Public or custom catalog, package metadata, vulnerability advisories, licenses, OpenSSF, or MCP services (concepts): read 
    references/catalog-entities.md
    (~190 lines)
  • CVE details, vulnerability lookup by CVE ID, or severity/affected-packages/fix-versions for a specific CVE: go directly to 
    references/onemodel-query-examples.md
    § Public security domain for the 
    searchVulnerabilities
    query shape — this is self-contained; do not load the 
    jfrog-package-safety-and-download
    skill for pure CVE lookups
  • 公共或自定义目录、包元数据、漏洞公告、许可证、OpenSSF或MCP服务(概念):阅读
    references/catalog-entities.md
    (约190行)
  • CVE详情、通过CVE ID查找漏洞,或特定CVE的严重性/受影响包/修复版本:直接查看
    references/onemodel-query-examples.md
    中的【公共安全领域】章节获取
    searchVulnerabilities
    查询结构——该章节内容独立;纯CVE查找无需加载
    jfrog-package-safety-and-download
    技能

OneModel (GraphQL)

OneModel(GraphQL)

  • GraphQL queries (applications, packages, evidence, release bundles, catalog, cross-domain, or "list/search my" platform entities): read 
    references/onemodel-graphql.md
    (~325 lines)
  • Query templates and domain-specific examples: read 
    references/onemodel-query-examples.md
    (~555 lines)
  • Pagination, filtering, GraphQL variables, or date formatting: read 
    references/onemodel-common-patterns.md
    (~280 lines)
  • GraphQL查询(应用、包、证据、发布包、目录、跨领域或"列出/搜索我的"平台实体):阅读
    references/onemodel-graphql.md
    (约325行)
  • 查询模板和领域特定示例:阅读
    references/onemodel-query-examples.md
    (约555行)
  • 分页、过滤、GraphQL变量或日期格式化:阅读
    references/onemodel-common-patterns.md
    (约280行)

Platform administration

平台管理

  • Platform structure, project/repo membership, or project roles vs environments (concepts): read 
    references/platform-access-entities.md
  • Access tokens, stats, projects, or system health: read 
    references/platform-admin-operations.md
  • Managing JFrog Projects, members, or environments: read 
    references/projects-api.md
    (~260 lines)
  • Platform REST beyond the CLI, or any platform-level API gap: read 
    references/platform-admin-api-gaps.md
    (~180 lines)
  • 平台结构、项目/仓库成员关系、或项目角色与环境(概念):阅读
    references/platform-access-entities.md
  • 访问令牌、统计数据、项目或系统健康:阅读
    references/platform-admin-operations.md
  • 管理JFrog项目、成员或环境:阅读
    references/projects-api.md
    (约260行)
  • CLI未覆盖的平台REST接口,或任何平台级API空白:阅读
    references/platform-admin-api-gaps.md
    (约180行)

CLI setup & authentication

CLI设置与认证

  • Adding a server or logging in: read 
    references/jfrog-login-flow.md
    (~130 lines)
  • CLI not installed, upgrade needed, or 
    jq
    unavailable    : read 
    references/jfrog-cli-install-upgrade.md
  • 添加服务器或登录:阅读
    references/jfrog-login-flow.md
    (约130行)
  • CLI未安装、需要升级或
    jq
    不可用    :阅读
    references/jfrog-cli-install-upgrade.md

General patterns

通用模式

  • Batching, parallel Shell calls, or launching subagents: read 
    references/general-parallel-execution.md
    (~135 lines)
  • Large or parallel data gathering, list-vs-detail APIs, cache hygiene: read 
    references/general-bulk-operations-and-agent-patterns.md
  • Standalone HTML report with JFrog-aligned styling: read 
    references/jfrog-brand-html-report.md
  • Reusable gotchas from past tasks: read or extend 
    references/general-use-case-hints.md
  • 批量处理、并行Shell调用或启动子Agent:阅读
    references/general-parallel-execution.md
    (约135行)
  • 大规模或并行数据收集、列表与详情API对比、缓存卫生:阅读
    references/general-bulk-operations-and-agent-patterns.md
  • 符合JFrog风格的独立HTML报告:阅读
    references/jfrog-brand-html-report.md
  • 过往任务中积累的常见问题:阅读或扩展
    references/general-use-case-hints.md

Server management

服务器管理

Server configuration is always read live from 
jf config
(never cached).
  • List servers: 
    jf config show
    (local operation, no network needed)
  • Use a specific server: pass 
    --server-id <id>
    to any command
  • Switch default: 
    jf config use <server-id>
  • Add a new server: read 
    references/jfrog-login-flow.md
    for the full login procedure (web login or manual token setup)
服务器配置始终从
jf config
实时读取(从不缓存)。
  • 列出服务器
    jf config show
    (本地操作,无需网络)
  • 使用特定服务器:在任何命令中传入
    --server-id <id>
  • 切换默认服务器
    jf config use <server-id>
  • 添加新服务器:参考
    references/jfrog-login-flow.md
    完成完整登录流程(网页登录或手动令牌设置)

Command discovery

命令发现

Use the commands listed below as your primary reference. Run 
--help
to verify options you are unsure about or to discover commands not listed here — do not rely on memorized commands outside this skill, as they may be outdated.
  1. jf --help
    — list all namespaces and top-level commands
  2. jf <namespace> --help
    — list subcommands in a namespace
  3. jf <command> --help
    — show usage, arguments, and options
以下列命令作为主要参考。若对选项不确定或需发现未在此列出的命令,运行
--help
进行验证——请勿依赖本技能之外的记忆命令,因为它们可能已过时。
  1. jf --help
    — 列出所有命名空间和顶级命令
  2. jf <namespace> --help
    — 列出命名空间下的子命令
  3. jf <command> --help
    — 显示用法、参数和选项

CLI namespaces

CLI命名空间

NamespaceAliasProduct
rt
Artifactory
xr
Xray
ds
Distribution V1
at
apptrust
AppTrust
evd
Evidence
mc
Mission Control
worker
Workers
config
c
CLI server configuration
plugin
CLI plugin management
ide
IDE integration
Sunset notice: JFrog Pipelines has been sunset and is no longer supported. Do not use the 
pl
CLI namespace or the Pipelines REST API (
/pipelines/api/...
). If a user asks about Pipelines, inform them the product has been sunset.
Top-level lifecycle commands (no namespace): 
rbc
, 
rbp
, 
rbd
, 
rba
, 
rbf
, 
rbe
, 
rbi
, 
rbs
, 
rbu
, 
rbdell
, 
rbdelr
.
Top-level security commands: 
audit
, 
scan
, 
build-scan
, 
curation-audit
, 
sbom-enrich
.
Top-level other: 
access-token-create
(
atc
), 
login
, 
how
, 
stats
, 
generate-summary-markdown
, 
exchange-oidc-token
, 
completion
.
命名空间别名产品
rt
Artifactory
xr
Xray
ds
Distribution V1
at
apptrust
AppTrust
evd
Evidence
mc
Mission Control
worker
Workers
config
c
CLI服务器配置
plugin
CLI插件管理
ide
IDE集成
弃用通知:JFrog Pipelines已停止服务,不再提供支持。请勿使用
pl
CLI命名空间或Pipelines REST API(
/pipelines/api/...
)。若用户询问Pipelines,告知他们该产品已停止服务。
顶级生命周期命令(无命名空间):
rbc
, 
rbp
, 
rbd
, 
rba
, 
rbf
, 
rbe
, 
rbi
, 
rbs
, 
rbu
, 
rbdell
, 
rbdelr
顶级安全命令:
audit
, 
scan
, 
build-scan
, 
curation-audit
, 
sbom-enrich
其他顶级命令:
access-token-create
atc
), 
login
, 
how
, 
stats
, 
generate-summary-markdown
, 
exchange-oidc-token
, 
completion

Invoking platform APIs with 
jf api

通过
jf api
调用平台API

When the CLI lacks a dedicated subcommand, use 
jf api
— the unified entry point for every JFrog Platform REST and GraphQL endpoint, auto-authenticated against the resolved server. Do not use 
jf rt curl
or 
jf xr curl
 — they are superseded by 
jf api
.
当CLI缺少专用子命令时,使用
jf api
——这是所有JFrog Platform REST和GraphQL端点的统一入口,会自动针对已解析的服务器进行认证。请勿使用
jf rt curl
jf xr curl
——它们已被
jf api
取代。

Product-prefix table

产品前缀表

jf api
requires the full path including the product prefix; omitting it returns 404.
ProductPath prefix
Artifactory
/artifactory/api/...
Xray
/xray/api/...
Access (users, groups, tokens, permissions, projects)
/access/api/...
Evidence
/evidence/api/...
Release Lifecycle
/lifecycle/api/...
AppTrust
/apptrust/api/...
Distribution
/distribution/api/...
OneModel (GraphQL)
/onemodel/api/v1/graphql
, 
/onemodel/api/v1/supergraph/schema
Mission Control
/mc/api/...
Curation
/xray/api/v1/curation/...
(lives under Xray)
jf api
要求路径包含完整的产品前缀;省略前缀会返回404。
产品路径前缀
Artifactory
/artifactory/api/...
Xray
/xray/api/...
Access(用户、组、令牌、权限、项目)
/access/api/...
Evidence
/evidence/api/...
Release Lifecycle
/lifecycle/api/...
AppTrust
/apptrust/api/...
Distribution
/distribution/api/...
OneModel(GraphQL)
/onemodel/api/v1/graphql
, 
/onemodel/api/v1/supergraph/schema
Mission Control
/mc/api/...
Curation
/xray/api/v1/curation/...
(归属Xray)

Examples

示例

bash
jf api /artifactory/api/repositories
jf api /artifactory/api/system/version --server-id <id>
bash
jf api /artifactory/api/repositories
jf api /artifactory/api/system/version --server-id <id>

AQL (POST with text/plain body)

AQL(POST请求,text/plain格式请求体)

jf api /artifactory/api/search/aql
-X POST -H "Content-Type: text/plain" -d '<aql-query>'

Common flags: `-X/--method`, `-H/--header`, `-d/--data`, `--input <file>`,
`--server-id`, `--timeout`. Body on stdout, status on stderr — see
[Gotchas](#gotchas).
jf api /artifactory/api/search/aql
-X POST -H "Content-Type: text/plain" -d '<aql-query>'

常用参数:`-X/--method`, `-H/--header`, `-d/--data`, `--input <file>`, `--server-id`, `--timeout`。响应体输出到标准输出,状态信息输出到标准错误输出——参考【常见问题】章节。

GraphQL (OneModel)

GraphQL(OneModel)

OneModel is the unified GraphQL API. Do not embed the query inside a JSON literal (
-d '{"query":"..."}'
) — escaping breaks requests. Build the payload with 
jq -n --arg
, pass it via 
--input
, and save the response to a file before running 
jq
on it.
bash
QUERY='{ evidence { searchEvidence(first: 5, where: { hasSubjectWith: { repositoryKey: "my-repo-local" } }) { totalCount } } }'
PAYLOAD=/tmp/onemodel-payload-$$.json RESPONSE=/tmp/onemodel-$$.json
jq -n --arg q "$QUERY" '{query:$q}' > "$PAYLOAD"
jf api /onemodel/api/v1/graphql -X POST \
  -H "Content-Type: application/json" --input "$PAYLOAD" > "$RESPONSE"
jq . "$RESPONSE"
Schema discovery: 
jf api /onemodel/api/v1/supergraph/schema > "$SCHEMA_FILE"
(store only under 
~/.jfrog/skills-cache/
, never query responses). Read 
references/onemodel-graphql.md
for the full workflow (schema fetch, validation, pagination, errors), plus 
references/onemodel-query-examples.md
and 
references/onemodel-common-patterns.md
for query shapes, pagination, variables, and dates.
OneModel是统一的GraphQL API。请勿将查询嵌入JSON字面量中(
-d '{"query":"..."}'
)——转义会导致请求失败。使用
jq -n --arg
构建请求体,通过
--input
传入,并将响应保存到文件后再使用
jq
解析。
bash
QUERY='{ evidence { searchEvidence(first: 5, where: { hasSubjectWith: { repositoryKey: "my-repo-local" } }) { totalCount } } }'
PAYLOAD=/tmp/onemodel-payload-$$.json RESPONSE=/tmp/onemodel-$$.json
jq -n --arg q "$QUERY" '{query:$q}' > "$PAYLOAD"
jf api /onemodel/api/v1/graphql -X POST \
  -H "Content-Type: application/json" --input "$PAYLOAD" > "$RESPONSE"
jq . "$RESPONSE"
模式发现:
jf api /onemodel/api/v1/supergraph/schema > "$SCHEMA_FILE"
(仅允许存储在
~/.jfrog/skills-cache/
下,请勿存储查询响应)。参考
references/onemodel-graphql.md
获取完整工作流(模式获取、验证、分页、错误处理),以及
references/onemodel-query-examples.md
references/onemodel-common-patterns.md
获取查询结构、分页、变量和日期处理方式。

Structured inputs

结构化输入

Several CLI commands require JSON template files. The templates are normally created by interactive wizard commands (
jf rt rpt
, 
jf rt ptt
, 
jf rt rplt
) which agents cannot use. Instead, retrieve an existing config via REST API as a starting point and modify it:
bash
jf api /artifactory/api/repositories/<repo-key>
For other Artifactory or platform REST patterns, or when you need more than this repo GET, see Any API gap under When to read reference files.
部分CLI命令需要JSON模板文件。这些模板通常由交互式向导命令(
jf rt rpt
, 
jf rt ptt
, 
jf rt rplt
)生成,但Agent无法使用这些命令。替代方案:通过REST API获取现有配置作为起点,然后进行修改:
bash
jf api /artifactory/api/repositories/<repo-key>
如需其他Artifactory或平台REST模式,或需要更多上述仓库GET操作之外的功能,请参考【何时参考参考文件】中的【任何API空白】部分。

Gotchas

常见问题

  • jf api
    requires the product prefix in the path (
    /artifactory/...
    , 
    /xray/...
    , 
    /access/...
    , 
    /evidence/...
    , 
    /lifecycle/...
    , 
    /apptrust/...
    , 
    /distribution/...
    , 
    /onemodel/...
    , 
    /mc/...
    ). Omitting the prefix returns 404. See the product-prefix table above.
  • jf api
    writes the body (success or error JSON) to stdout and 
    [Info] Http Status: NNN
    to stderr on every call; non-2xx also exits 1 and adds 
    [Warn] jf api: <method> <url> returned NNN
    . Pipe stdout to 
    jq
    directly; never 
    2>&1 | jq
     — stderr corrupts the JSON. To keep diagnostics: 
    jf api <path> 2>/tmp/err-$$.log | jq .
    .
  • jf api
    has no 
    -L
     (follow redirects) and no 
    -o
     (output file). Save bodies with shell redirection (
    jf api ... > /tmp/out-$$.json
    ); for binary downloads through the Artifactory remote proxy prefer 
    jf rt dl
    , which handles the cache and redirect semantics natively.
  • Remote repository content is stored in a 
    -cache
    suffixed repo. Properties and AQL queries for remote repo artifacts must target the cache repo. Conversely, 
    /api/repositories/<key>
    only accepts the parent remote key (without 
    -cache
    ) — strip the suffix for configuration lookups.
  • Do not use 
    jf rt search
     — always use a direct AQL query via 
    jf api /artifactory/api/search/aql -X POST -H "Content-Type: text/plain" -d '<aql>'
    . See 
    references/artifactory-aql-syntax.md
    .
  • Use 
    --quiet
    flag for non-interactive execution (suppresses confirmation prompts). Caution: 
    --quiet
    is not a global flag — commands that do not support it (e.g. 
    jf rt s
    , 
    jf rt ping
    ) will fail with misleading errors like "Wrong number of arguments" or "flag provided but not defined". Check 
    --help
    for a command before adding 
    --quiet
    .
  • Use 
    --server-id
    when targeting a non-default server. If a command fails with 
    --server-id
    , do not retry without it — that silently targets the default server instead. See Server selection rules.
  • Never use interactive commands. All JFrog CLI operations must be performed non-interactively. Known interactive commands to avoid: 
    jf config add
    , 
    jf login
    , 
    jf rt repo-template
    , 
    jf rt permission-target-template
    , and 
    jf rt replication-template
    . For server setup, follow 
    references/jfrog-login-flow.md
    . For templates, use JSON schemas or REST API. If a command prompts for input unexpectedly, find the non-interactive alternative via 
    --help
    or REST API.
  • jf config export
    output is base64-encoded JSON. Decode with 
    base64 -d | jq
    to extract fields.
  • Build info lookups require a scope (
    ?buildRepo=
    or 
    ?project=
    ) — resolve it before calling the API. See 
    references/artifactory-operations.md
    §Retrieving build info for the full workflow.
  • If a 
    jf api
    call returns 401, the configured token may have expired or been rotated — ask the user to re-run the login flow (see 
    references/jfrog-login-flow.md
    ) for the same server. If 403, the token lacks required permissions. If 404, verify the endpoint path (especially the product prefix) and target server version. On any of these errors, do not try a different configured server as a workaround — that targets a different environment. Report the error and ask the user.
  • Xray contextual analysis: the summary artifact response has two applicability fields — 
    applicability
    (top-level, often null) and 
    applicability_details
    (always present with a 
    result
    string). Use 
    applicability_details[].result
    for counts and summaries.     Using the top-level 
    applicability
    field for aggregation produces wrong counts because it is null when no scanner exists. See 
    references/xray-entities.md
    §Contextual analysis for the eight possible result values and jq snippets.
  • OneModel GraphQL: always fetch the supergraph schema from the same server you query before building operations (schemas differ by deployment); cache, validate, and execute per 
    references/onemodel-graphql.md
    .
  • Never duplicate a network-fetching command to retry 
    jq
    parsing — save the response to a temp file first (see Preserving command output).
  • When collecting detail responses in a loop (e.g. per-repo GETs), validate each body with 
    jq -e .
    before appending to a results file. One non-JSON or empty response corrupts a downstream 
    jq -s
    slurp. Write validated lines to an NDJSON file, then 
    jq -s '.' file.ndjson
    to produce the final array. See 
    references/general-bulk-operations-and-agent-patterns.md
    .
  • Accumulated edge cases from real tasks live in 
    references/general-use-case-hints.md
    — read when debugging odd failures; append a short entry when you confirm a new, reusable gotcha.
  • jf api
    要求路径包含产品前缀
    /artifactory/...
    , 
    /xray/...
    , 
    /access/...
    , 
    /evidence/...
    , 
    /lifecycle/...
    , 
    /apptrust/...
    , 
    /distribution/...
    , 
    /onemodel/...
    , 
    /mc/...
    )。省略前缀会返回404。请参考上述【产品前缀表】。
  • jf api
    将响应体(成功或错误的JSON)输出到标准输出,每次调用都会将
    [Info] Http Status: NNN
    输出到标准错误输出;非2xx状态码还会返回退出码1并添加
    [Warn] jf api: <method> <url> returned NNN
    。直接将标准输出管道到
    jq
    切勿使用
    2>&1 | jq
    ——标准错误输出会破坏JSON格式。如需保留诊断信息:
    jf api <path> 2>/tmp/err-$$.log | jq .
  • jf api
    没有
    -L
    参数    (跟随重定向),也没有
    -o
    参数    (输出到文件)。使用Shell重定向保存响应体(
    jf api ... > /tmp/out-$$.json
    );若通过Artifactory远程代理下载二进制文件,优先使用
    jf rt dl
    ,它会原生处理缓存和重定向逻辑。
  • 远程仓库的内容存储在后缀为
    -cache
    的仓库中。针对远程仓库制品的属性和AQL查询必须指向缓存仓库。反之,
    /api/repositories/<key>
    仅接受父远程仓库的Key(不带
    -cache
    后缀)——查询配置时需去掉该后缀。
  • 请勿使用
    jf rt search
    ——始终通过
    jf api /artifactory/api/search/aql -X POST -H "Content-Type: text/plain" -d '<aql>'
    直接使用AQL查询。参考
    references/artifactory-aql-syntax.md
  • 非交互式执行时使用
    --quiet
    参数(抑制确认提示)。注意
    --quiet
    并非全局参数——不支持该参数的命令(如
    jf rt s
    , 
    jf rt ping
    )会返回误导性错误,例如"Wrong number of arguments"或"flag provided but not defined"。添加
    --quiet
    前请先查看命令的
    --help
    信息。
  • 针对非默认服务器时使用
    --server-id
    参数。若命令带
    --server-id
    参数失败,请勿不带该参数重试——这会静默切换到默认服务器。参考【服务器选择规则】。
  • 切勿使用交互式命令。所有JFrog CLI操作必须以非交互式方式执行。已知需要避免的交互式命令:
    jf config add
    , 
    jf login
    , 
    jf rt repo-template
    , 
    jf rt permission-target-template
    , 和
    jf rt replication-template
    。服务器设置请遵循
    references/jfrog-login-flow.md
    。模板请使用JSON模式或REST API。若命令意外提示输入,请通过
    --help
    或REST API查找非交互式替代方案。
  • jf config export
    的输出是base64编码的JSON。使用
    base64 -d | jq
    解码以提取字段。
  • 构建信息查询需要作用域(
    ?buildRepo=
    ?project=
    )——调用API前需确定该作用域。参考
    references/artifactory-operations.md
    中的【获取构建信息】章节获取完整工作流。
  • jf api
    调用返回401,配置的令牌可能已过期或被轮换——请用户针对同一服务器重新运行登录流程(参考
    references/jfrog-login-flow.md
    )。若返回403,令牌缺少必要权限。若返回404,请验证端点路径(尤其是产品前缀)和目标服务器版本。遇到任何此类错误,请勿尝试使用其他已配置的服务器作为替代方案——这会指向不同的环境。报告错误并询问用户。
  • Xray上下文分析:摘要制品响应包含两个适用性字段——
    applicability
    (顶层,通常为null)和
    applicability_details
    (始终存在,包含
    result
    字符串)。统计和汇总时请使用
    applicability_details[].result
    。使用顶层
    applicability
    字段进行汇总会导致统计错误,因为当不存在扫描器时该字段为null。参考
    references/xray-entities.md
    中的【上下文分析】章节获取八种可能的结果值和jq代码片段。
  • OneModel GraphQL:在构建操作前,始终从同一服务器获取超级图模式(不同部署的模式不同);按照
    references/onemodel-graphql.md
    中的步骤进行缓存、验证和执行。
  • 切勿重复执行网络查询命令来重试
    jq
    解析——先将响应保存到临时文件(参考【保存命令输出】)。
  • 在循环中收集详情响应时(例如每个仓库的GET请求),在追加到结果文件前使用
    jq -e .
    验证每个响应体。单个非JSON或空响应会破坏后续的
    jq -s
    合并操作。将验证后的行写入NDJSON文件,然后使用
    jq -s '.' file.ndjson
    生成最终数组。参考
    references/general-bulk-operations-and-agent-patterns.md
  • 实际任务中积累的边缘案例存放在
    references/general-use-case-hints.md
    中——调试异常失败时请阅读;确认新的可复用问题后,请添加简短条目

Batch and parallel execution

批量与并行执行

When a task requires multiple independent operations, use the lightest parallelism mechanism that fits. Three tiers: (1) batch commands in a single Shell call using loops or 
&
, (2) issue parallel Shell tool calls, (3) launch parallel subagents for large fan-out. Read 
references/general-parallel-execution.md
(~135 lines) for tier selection, examples, and subagent prompt structuring.
当任务需要多个独立操作时,使用最适合的轻量级并行机制。分为三个层级:(1) 在单个Shell调用中使用循环或
&
批量执行命令,(2) 发起并行Shell工具调用,(3) 针对大规模任务启动并行子Agent。参考
references/general-parallel-execution.md
(约135行)获取层级选择、示例和子Agent提示结构。

Preserving command output

保存命令输出

When a CLI command or API call returns data, redirect the output to a temporary file so you can re-read it without re-executing the call:
bash
OUT=/tmp/jf-repos-$$.json
jf api /artifactory/api/repositories > "$OUT"
echo "$OUT"
Use 
$$
(the shell PID) in the filename to prevent collisions across concurrent sessions or processes.
Cross-call gotcha: each Shell tool invocation runs in a new process with a different PID, so 
$$
expands to a different value in each call. Always echo the expanded filename so the agent can read it from the output and reuse the literal path in subsequent calls. Three patterns, in priority order:
  1. $$
    + echo     (preferred): use 
    $$
    for collision safety, echo the path as shown above. The agent reads 
    /tmp/jf-repos-12345.json
    from the output and passes that literal value to the next Shell call.
  2. Session ID: when many files share a prefix across calls, generate an ID once (
    SID=$(date +%s)-$$
    ), echo it, and reuse in later calls.
  3. Hardcoded names: last resort — risks collisions when parallel calls or subagents write to the same path.
This protects against wasted round-trips when you need to retry parsing — for example, if a 
jq
filter fails or you extract the wrong field on the first attempt. Re-read the file instead of hitting the server again.
Do not duplicate the same network request in a shell pipeline (e.g. with 
||
) only to re-run 
jq
or to reveal jq diagnostics—the duplicate call adds load on JFrog without fetching new data. Run 
jq '<filter>' /tmp/jf-*-$$.json
(or redirect stdin from the file) instead of re-running the same 
jf api
or other identical network-backed command.
Do not reuse saved output across unrelated steps or changed contexts (different server, user, or intent). The file is only valid for the immediate sequence of operations that motivated the original call.
当CLI命令或API调用返回数据时,将输出重定向到临时文件,以便无需重新执行命令即可重新读取:
bash
OUT=/tmp/jf-repos-$$.json
jf api /artifactory/api/repositories > "$OUT"
echo "$OUT"
在文件名中使用
$$
(Shell进程ID)以避免并发会话或进程间的冲突。
跨调用注意事项:每个Shell工具调用都在新进程中运行,PID不同,因此每个调用中的
$$
会展开为不同的值。请始终输出展开后的文件名,以便Agent从输出中读取并在后续调用中使用该字面路径。优先使用以下三种模式:
  1. $$
    + 输出    (首选):使用
    $$
    避免冲突,如上所示输出路径。Agent从输出中读取
    /tmp/jf-repos-12345.json
    并将该字面值传递给下一个Shell调用。
  2. 会话ID:当多个文件在调用间共享前缀时,生成一次ID(
    SID=$(date +%s)-$$
    ),输出该ID并在后续调用中复用。
  3. 硬编码名称:最后选择——并行调用或子Agent写入同一路径时存在冲突风险。
这样可以避免在需要重试解析时浪费往返请求——例如,首次尝试时
jq
过滤器失败或提取了错误字段。重新读取文件即可,无需再次请求服务器。
切勿在Shell管道中重复执行相同的网络请求(例如使用
||
)仅为了重新运行
jq
或显示jq诊断信息——重复调用会给JFrog增加负载但不会获取新数据。请运行
jq '<filter>' /tmp/jf-*-$$.json
(或从文件重定向标准输入),而非重新运行相同的
jf api
或其他网络相关命令。
切勿在不相关的步骤或变更后的上下文(不同服务器、用户或意图)中复用保存的输出。该文件仅对触发原始调用的即时操作序列有效。