jfrog · attiasas · Nov 4, 2025 · Nov 23, 2025 · Nov 23, 2025
diff --git a/cli/gitcommands.go b/cli/gitcommands.go
@@ -64,6 +64,9 @@ func GitAuditCmd(c *components.Context) error {
 	if subScans, err := getSubScansToPreform(c); err != nil {
 		return err
 	} else if len(subScans) > 0 {
+		if err := validateAnalyzerManagerRequirements(subScans); err != nil {
+			return err
+		}
 		gitAuditCmd.SetScansToPerform(subScans)
 	}
 	if threads, err := pluginsCommon.GetThreadsCount(c); err != nil {

diff --git a/cli/scancommands.go b/cli/scancommands.go
@@ -415,6 +415,10 @@ func AuditCmd(c *components.Context) error {
 		auditCmd.SetScansToPerform(subScans)
 	}
 
+	if err := validateAnalyzerManagerRequirements(auditCmd.ScansToPerform()); err != nil {
+		return err
+	}
+
 	// Validate that there is a sast scan before setting the sast rules
 	if sastRulesFile := c.GetStringFlagValue(flags.AddSastRules); sastRulesFile != "" {
 		// Check if file exists

diff --git a/cli/utils.go b/cli/utils.go
@@ -3,6 +3,7 @@ package cli
 import (
 	"fmt"
 	"os"
+	"slices"
 	"strings"
 
 	"github.com/jfrog/jfrog-cli-core/v2/common/cliutils"
@@ -16,6 +17,7 @@ import (
 	"github.com/jfrog/jfrog-client-go/utils/io/fileutils"
 	"github.com/jfrog/jfrog-client-go/utils/log"
 
+	"github.com/jfrog/jfrog-cli-security/jas"
 	"github.com/jfrog/jfrog-cli-security/sca/bom"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/buildinfo"
 	"github.com/jfrog/jfrog-cli-security/sca/bom/xrayplugin"
@@ -85,6 +87,14 @@ func getSubScansToPreform(c *components.Context) (subScans []utils.SubScanType,
 	return
 }
 
+func validateAnalyzerManagerRequirements(subScans []utils.SubScanType) error {
+	if len(subScans) != 0 && (!slices.Contains(subScans, utils.SecretsScan) && !slices.Contains(subScans, utils.ContextualAnalysisScan) && !slices.Contains(subScans, utils.IacScan) && !slices.Contains(subScans, utils.SastScan)) {
+		// No analyzer manager related sub-scan is requested
+		return nil
+	}
+	return jas.ValidateRequiredInstalledSoftware()
+}
+
 func shouldAddSubScan(subScan utils.SubScanType, c *components.Context) bool {
 	return c.GetBoolFlagValue(subScan.String()) ||
 		(subScan == utils.ContextualAnalysisScan && c.GetBoolFlagValue(flags.Sca) && !c.GetBoolFlagValue(flags.WithoutCA)) || (subScan == utils.SecretTokenValidationScan && c.GetBoolFlagValue(flags.Secrets) && c.GetBoolFlagValue(flags.SecretValidation))

diff --git a/go.mod b/go.mod
@@ -2,9 +2,6 @@ module github.com/jfrog/jfrog-cli-security
 
 go 1.24.6
 
-// TODO: update xray-scan lib to latest version that supports CycloneDX v0.9.3 (not yet released)
-replace github.com/CycloneDX/cyclonedx-go => github.com/CycloneDX/cyclonedx-go v0.9.2
-
 require (
 	github.com/CycloneDX/cyclonedx-go v0.9.3
 	github.com/beevik/etree v1.4.0

diff --git a/go.sum b/go.sum
@@ -4,8 +4,8 @@ dario.cat/mergo v1.0.2 h1:85+piFYR1tMbRrLcDwR18y4UKJ3aH1Tbzi24VRW1TK8=
 dario.cat/mergo v1.0.2/go.mod h1:E/hbnu0NxMFBjpMIE34DRGLWqDy0g5FuKDhCb31ngxA=
 github.com/BurntSushi/toml v1.5.0 h1:W5quZX/G/csjUnuI8SUYlsHs9M38FC7znL0lIO+DvMg=
 github.com/BurntSushi/toml v1.5.0/go.mod h1:ukJfTF/6rtPPRCnwkur4qwRxa8vTRFBF0uk2lLoLwho=
-github.com/CycloneDX/cyclonedx-go v0.9.2 h1:688QHn2X/5nRezKe2ueIVCt+NRqf7fl3AVQk+vaFcIo=
-github.com/CycloneDX/cyclonedx-go v0.9.2/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
+github.com/CycloneDX/cyclonedx-go v0.9.3 h1:Pyk/lwavPz7AaZNvugKFkdWOm93MzaIyWmBwmBo3aUI=
+github.com/CycloneDX/cyclonedx-go v0.9.3/go.mod h1:vcK6pKgO1WanCdd61qx4bFnSsDJQ6SbM2ZuMIgq86Jg=
 github.com/Microsoft/go-winio v0.5.2/go.mod h1:WpS1mjBmmwHBEWmogvA2mj8546UReBk4v8QkMxJ6pZY=
 github.com/Microsoft/go-winio v0.6.2 h1:F2VQgta7ecxGYO8k3ZZz3RS8fVIXVxONVUPlNERoyfY=
 github.com/Microsoft/go-winio v0.6.2/go.mod h1:yd8OoFMLzJbo9gZq8j5qaps8bJ9aShtEA8Ipt1oGCvU=

diff --git a/jas/analyzermanager.go b/jas/analyzermanager.go
@@ -57,6 +57,10 @@ const (
 
 type JasDiffScanEnvValue string
 
+var scannersRequiredInstalledSoftware = []string{
+	"git", "unzip", "curl",
+}
+
 var exitCodeErrorsMap = map[int]string{
 	notEntitledExitCode:        "got not entitled error from analyzer manager",
 	unsupportedCommandExitCode: "got unsupported scan command error from analyzer manager",
@@ -212,3 +216,12 @@ func DownloadAnalyzerManagerIfNeeded(threadId int) error {
 	}
 	return utils.DownloadResourceFromPlatformIfNeeded("Analyzer Manager", downloadPath, analyzerManagerDir, AnalyzerManagerZipName, true, threadId)
 }
+
+func ValidateRequiredInstalledSoftware() (err error) {
+	for _, software := range scannersRequiredInstalledSoftware {
+		if softwarePath, e := exec.LookPath(software); e != nil || softwarePath == "" {
+			err = errors.Join(err, fmt.Errorf("could not find the required '%s' executable in the system PATH to run the Advanced Security Scans", software))
+		}
+	}
+	return
+}