A Few Minutes More: Add Xray DevSecOps to Artifactory Enterprise on Azure
In a prior blog post, we explained how to install or update Artifactory through the Azure Marketplace in the amount of time it takes for your coffee order to arrive on the counter.
Now you can add to your self-managed (BYOL) Artifactory deployment Xray, the cream of software composition analysis (SCA) tools, through the Azure Marketplace as well.
JFrog Xray is a universal SCA solution that natively integrates with Artifactory, giving developers and DevSecOps teams an easy way to proactively identify open source vulnerabilities and license compliance violations, before releasing at-risk applications into production.
Why Add Xray SCA
Xray supports all major package types and integrations, knowing how to unpack each one and what every underlying layer contains. Xray’s deep recursive scanning sees into all the underlying layers & dependencies of components, even those packaged in Docker images and ZIP files.
Each unpacked component is examined to uncover potential vulnerabilities and license compliance violations, powered by the most timely and comprehensive VulnDB intelligence.
From this data, Xray can present a component graph analysis of every artifact and dependency structure, providing you unique visibility to determine the impact of all discovered risks.
What You Need
You will need a few things before you get started:
- Active Azure subscription
- Spare vCPUs available in your region in Azure
- An Xray license (to use beyond the trial period)
- An installed BYOL deployment of Artifactory Enterprise on Azure.
- Recommended: Azure PostgreSQL service
Installing an Azure PostgreSQL Server
Xray uses a database to index component vulnerability data. Like Artifactory, you can configure Xray with a database source of your choice.
Our recommended best practice configuration for Xray is to use a database server on a node that is separate from the node where Artifactory and Xray runs.
To accomplish this, you will need to create an Azure PostgreSQL service before installing Xray. You can then install Xray to use this existing database.
We’ve created a helpful ARM template for you that will deploy an Azure PostgreSQL service with the ideal settings for use with Xray. You can find this template in our JFrog-Cloud-Installers repo, or you can pick one from the official Azure repository.
You can clone the JFrog repo to your own workstation:
$ git clone https://github.com/jfrog/JFrog-Cloud-Installers.git $ cd ~/JFrog-Cloud-Installers/AzureResourceManager/Postgresql
postgres.parameters.json file and set the values of
azurePostgresDBDeploy.json is the ARM template, which contains the preferred settings. The
skuSizeMB parameter sets the database storage to 200 Gb, which is the recommended size for Xray.
Using the Azure CLI, deploy the PostgreSQL service to the same resource group used for Artifactory deployment.
$ az deployment group create --resource-group --template-file azurePostgresDBDeploy.json --parameters @postgres.parameters.json
After deployment is done, you will see PostgreSQL service in your resource group:
This server is now available to use with Xray.
BYOL Install on Azure Cloud
Once you’re prepared with these essentials, you can start the install from Azure Marketplace.
- Go to Microsoft Azure Marketplace.
- Search for “JFrog” or “Xray”
- Select JFrog Xray ARM Template
Or you can navigate directly to JFrog Xray ARM Template.
To start the install procedure:
- Click on the GET IT NOW button.
If you are not signed in, Marketplace will ask you for your Azure account credentials.
- In the resulting popup, click Continue to agree to Microsoft terms.
- Click Create
The procedure will now take you through a series of tabs to enter information.
Here you will select the active subscription for this instance, as well as its region, which must be the same as the Artifactory deployment.
You must also select an Azure Resource Group for the instance. You may not select the same resource group where Artifactory was deployed. With that exception, you can either choose one that has already been created through the Azure Resource Manager, or click Create new to define one now.
In this tab you must specify a set of login credentials for the VM that will be created for JFrog Xray to run in. Enter a username of the valid form for the VM administrator, and you may define either a 12-character password or an SSH public key.
The Xray instance should be in the same virtual network as the Artifactory instance. Select the virtual network from the resource group where you‘ve deployed Artifactory, and select any available subnet in that VN. The recommended VM size is Standard D4s v3, and the minimum requirement is 4 vCPUs.
Select the Xray version, set the cluster name and generate the master key.
Your Artifactory join key can be found in the Administration module of Artifactory. In the Security > Settings tab, enter your password in Connection details to unlock the platform connection details. You can then view and copy the join key to paste into the ARM template form. Provide the URL to your Artifactory deployment.
On this screen you can create or connect Xray to a database. If, as recommended, you have created an PostregSQL service on another node, select Use existing postgresql instance. Then enter the database server name and the connection string as well as username and password from your PostgreSQL instance.
Connection string example:
Review + Create
In this final tab, Azure will verify your configuration. When validation is passed, click Create to start the deployment.
The hard work is done! The ARM template takes over from here, deploying Xray and its component parts into the Azure VM, and joining it with Artifactory.
When the deployment is complete, login to your Artifactory instance. You will see the Index Resources popup, which confirms Xray is up and running. From here, you can select which repositories you want Xray to index.
Once you set up your Xray watches, you can enjoy the rich taste of DevSecOps, secure that you’ll be alerted when a critical component has an issue, and that unsafe builds can be blocked from release.
For a full demo of the Artifactory, PostgreSQL, and Xray installation process, watch this tutorial video.