If you need your teams to act, you need to alert them where they’re already looking. Yet yesterday’s DevOps practices demand individuals to wrangle with uncorrelated events, multiple UIs, and siloed technologies. Tomorrow’s DevOps must enable teams with:
- Unified Data
- Single Pane Dashboard
- Integrated Platform
To practice DevSecOps, you’ll need to know where a vulnerable build has been deployed into production, and where to find the corrected build that should replace it. How can you leverage this vital information from Artifactory, your DevOps single source of truth, in the other parts of your ecosystem?
Xray’s deep-recursive scanning provides continuous oversight of your builds to identify the known security vulnerabilities in the open-source dependencies used by your apps. You can set up your Xray watches to monitor your development, test, and production repositories in Artifactory, and the JFrog Platform’s unified single-pane-of-glass provides powerful tools for review and impact analysis of Xray results.
But that’s useful only to those using the JFrog Platform UI in their work routine. To enable your entire team to act, you need to be able to direct alerts and data to desks through the ecosystem tools they use every day for collaboration, monitoring, and incident management.
Making Vulnerabilities Visible
Using JFrog’s growing set of partner integrations, you can connect the results of Xray’s scans for vulnerabilities and license compliance to your universe of tools, and deliver this vital DevSecOps data where it can be seen by the right personnel. This can enable a rapid response to investigate and remediate every new alert, and prevent improper code from ever being deployed into production.
Our partner integrations for Slack and Microsoft Teams enable you to send automated messages from Xray to your preferred messaging tool to enable a collaborative response.
Alerts sent from Xray to your collaboration tool can be directed to the individual or group channel where they can be seen and reviewed. Each alert provides the vulnerability ID, severity, and description, and identifies the impacted artifact.
Once your team is aware of a vulnerability, they can investigate through their preferred analytics platform. JFrog provides integrations and preconfigured dashboards for several analytics tools partners.
For example, our integration for DataDog provides a dashboard for Xray vulnerabilities, as well as ones to review JFrog Platform performance.
From the dashboard, you can identify a vulnerable artifact and quickly drill down to find all the information you need to know about a vulnerability.
Incident and Change Management
Your IT Service Management (ITSM) systems provide a vital oversight function, and many IT departments rely on the PagerDuty incident response platform to improve visibility and agility across the organization.
With JFrog’s PagerDuty integration for Xray, key personnel can receive PagerDuty incident reports for security violations detected by JFrog Xray’s deep recursive scanning of artifacts.
The PagerDuty integration also empowers you to connect your Xray alerts to a project in Atlassian Jira.
When someone views the incident report in PagerDuty, it takes only a swift click of the mouse to automatically register the vulnerability as an issue in a Jira project. The newly created Jira issue includes all of the information about the artifact and vulnerability that’s needed to investigate and fix it.
Once you have full visibility into vulnerabilities through your ecosystem, your team can address them to make certain your releases are safe.
But in a fast-moving continuous integration workflow, developers add and change features at the same time they are patching security holes. How do you keep track of everything to be sure?
JFrog’s partner integration for Jira helps connect issues to the builds where they’re resolved, and track where they are in your staging process.
Collaboration Closes the Loop
As we saw above, it’s easy to turn a PagerDuty incident report into a new Jira issue, in the same collaboration tool where you track all your bugs and feature requests.
When a developer performs a VCS check-in (such as a `git commit`) it’s a commonly followed best practice to tag it with the Jira issue key(s) those changes resolve. Artifactory can collect issue key messages from Git, as part of your build info, and link that build to those Jira issues.
The Artifactory dashboard for build information displays each of the referenced Jira issues in the Issues tab, and seamlessly provides a link to each issue key in Jira.
When you install the JFrog Artifactory App for Jira, you can make that connection go both ways, with links automatically available in Jira to the builds where security and features issues are resolved.
We’ve also added a feature to the Jira app to help you keep track of where those builds have been deployed. When you deploy your build into environments and include the necessary information, Jira can list all the environments where it is running.
Completing the Machine
These and other JFrog partner integrations help turn your ecosystem from a set of isolated tools into a fully functioning DevSecOps machine.
The JFrog DevOps Platform with Artifactory and Xray is the central engine that powers it all, making its comprehensive knowledge about your builds visible in the rest of your collaboration tools for fast action.
For detailed discussion and a demonstration, watch our presentation, DevOps Observability from Code to Cloud, from our recent swampUP DevOps conference.
Start exploring some of these and other JFrog partner integrations in your own systems. If you aren’t yet using Artifactory and Xray, you can get started with a free JFrog cloud account.