Automate Workflows in ServiceNow with the JFrog Spoke Integration

Automate your Security Workflows in ServiceNow with JFrog Xray Spoke

This blog post has been updated on: Sept 30th, 2022

What’s New

The JFrog integration with ServiceNow is growing and evolving. In our latest release of the integration, we have added a long list of new actions that will enable DevOps and DevSecOps engineers to create and automate additional workflows using the ServiceNow FlowDesigner. The additional actions include JFrog Artifactory functionality so we have renamed the integration to simply “JFrog Spoke”. A Spoke integration enables configurable “actions” which serve as building blocks to develop approval flows, speed up admin tasks, and add structure to new processes when working with JFrog. The best part is that making new workflows can be accomplished without writing a single line of code or manually calling any APIs. The expanded JFrog Spoke integration will enable teams to get the most out of JFrog with the least amount of work.

With these new actions, you can use the JFrog Spoke integration to streamline more workflows, including:

JFrog Admin Tasks

The JFrog Spoke can now be used to build approval flows for managing users, groups, and what those groups can access through permission targets. As a JFrog admin, these approval flows can be moved from Slack and email to structured forms and automated configurations, saving time on admin tasks while speeding up the approval process.

JFrog Artifact Management

The new actions allow you to create or delete repositories and move, add, or delete artifacts. Together with our existing JFrog Xray actions, it enables you to create flows for automatically transferring artifacts with newly discovered vulnerabilities to a safe repository, away from your developers.This allows thean JFrog IT admin to ensure that only secure artifacts are ready and available to use. To learn more about all the supported actions and how to get started using JFrog with Spoke, head over to our documentation page.

Original Post

In 2022, JFrog and ServiceNow engaged in a series of meaningful conversations around the state of DevSecOps and how the industry could benefit from tighter integrations with IT-Operations tools. The idea of “DevSecOps + ServiceOps” is a theme that JFrog and ServiceNow are now exploring and today, we’re excited to announce an integration that will further help software development teams automate many of the tasks needed to start dealing with security and license compliance issues in real-time. 

The new JFrog Xray Spoke (available in the ServiceNow IntegrationHub) provides building-block actions for JFrog Xray and Artifactory as well. These building blocks can be mixed with actions from other spokes for a truly customized and automated experience for your company.

For example, any CVE that JFrog Xray finds in your application components can be sent as an event to ServiceNow Flow Designer to kick off an automated workflow that do things such as: 

  • Route issues to specific team members for resolution
  • Trigger an approval workflow 
  • Ignore certain kinds of violations automatically 
  • Generate violation reports 
  • Tag an artifact or repository with custom metadata

The JFrog Spoke Integration can also help teams be alert to license compliance violations and automate workflows to respond. This enables you to meet audit demands and avoid penalties for improper use of code segments obtained from the open source community.

JFrog Spoke Security Capabilities in ServiceNow

The JFrog Spoke connects your JFrog Platform to ServiceNow so that you can automate remediation of security and license policy violations through workflows created in Flow Designer. 

Trigger Workflows on Xray Policy Violations

Xray performs regular scans of the binaries in Artifactory repositories that you designate, and identifies all known vulnerabilities in the packages used as dependencies, as well as their license types. You can specify rules for Xray to look for the specific CVEs, severity level, or other criteria that you care most about.

When you create a security or license policy in JFrog Xray based on those rules, you can specify an automatic action to trigger a webhook through the JFrog Platform event service when Xray discovers that policy has been violated. You will use this JFrog feature to send a violation event message from Xray to ServiceNow.

Need More Information?
To see how to create Xray policies and watches, view this support video.

Using Flow Designer, you can use the event message from Xray to trigger a ServiceNow workflow, and perform an automated response sequence through any of your operations ecosystem tools that are connected to ServiceNow.

The Xray event message also includes important information in its JSON payload about the policy violation that you can use to create complex, multi-branch ServiceNow workflows. 

For example, do you want to email your CISO office anytime a high CVE issue is found? That can be automated. Do you want to message or email a development team when issues have been found in a specific build? That too can be done through this integration. 

Drive JFrog Actions from ServiceNow

The JFrog Spoke empowers you to perform actions in Xray and Artifactory from a ServiceNow workflow to automate many of the steps your team might otherwise do manually to respond to security issues. For example, you can re-scan artifacts and builds in Artifactory, update permissions for JFrog Platform users and groups, create new Ignore Rules in Xray, or manage custom JFrog properties for artifacts.

Xray - create ignore rules

You can combine the JFrog actions of the JFrog Spoke with other ServiceNow actions to create rich workflow responses to security and license violations. In this way, JFrog Xray’s monitoring and governance of your mission-critical software supply chain can be made a fully acting partner in your ServiceNow-driven ITSM ecosystem.Make Xray a fully acting partner in your ServiceNow-driven ITSM ecosystem

Example ServiceNow Workflow

The following example workflow in Flow Designer shows how the JFrog Spoke might be used to respond to a security issue.

The example ServiceNow workflow is set to trigger on receipt of a security policy violation event message from Xray.

Trigger ServiceNow rest API

The first action of the workflow creates a violation record from the data payload received in the event webhook from Xray. 

Xray- webhook actions

We’ll then use the severity information to decide how to respond to the violation.

security severity information

A High Severity violation will generate and export a new report in Xray, notify the response team by email, notify the CISO office through Slack, and create a new issue in Jira for developers. 

A Medium Severity violation will just tag the artifact with a custom property to “investigate later,” notify the response team by email, and create a new issue in Jira.

A Low Severity violation will create a new ignore rule in Xray to prevent future notification of this violation.

How to Get Started

You can get the JFrog Spoke from the ServiceNow Integration Hub. Once installed into ServiceNow, you’ll need to connect ServiceNow to your JFrog Platform account by adding your JFrog identity token as a new set of API Key Credentials, along with your JFrog Platform Deployment URL.

You’ll also need to create a ServiceNow webhook in your JFrog Platform, and set up your Xray security and license policies to trigger that webhook.

For details, see the Xray Integration with ServiceNow Spoke documentation

Everything is now ready for you to create ServiceNow workflows through Flow Designer that are triggered by an Xray event message! Watch this quick demo to see how you can use actions from the JFrog Xray Spoke:

For more help or if you have ideas for more actions to add from the JFrog Platform, email