My previous blog post talked about discovering vulnerabilities in your dependencies directly from within your IDE. However, sometimes this approach discourages the developer from doing their work and consequently reduces their productivity. Let’s take a look at how you can continue to detect vulnerabilities, as early on in the CI/CD process as possible, without interfering in development time.
Enforcing starts at build time
As a best practice you want to continue providing developers with the information they need in development time. This still gives them the option to decide which components they want to use without forcing it on them, allowing creative freedom. The real enforcement should come into play during build time, where all of the moving parts are integrated into the build process. This is where the JFrog Xray integrations with Jenkins CI and TeamCity can help. Xray will scan and fail your builds if a new vulnerability enters your application, according to your own company policy.
The build process includes your ordinary steps like setup, dependency resolution, build, testing, and deployment to production. Xray allows you to include a new analysis step (step 6) into your pipeline that’s performed after the build artifacts are deployed to JFrog Artifactory (step 4). Depending on the analysis results, the build will pass and be promoted to production, or fail based on alerts generated by Xray (steps 7/8). A failed build will be displayed in the component screen, with a list of all vulnerabilities and severity levels.
Watch this useful screencast on how you can integrate Xray with your CI server and get peace of mind without getting in your developer’s way. The video will take you through the complete CI/CD pipeline giving you a complete picture of the whole process from commit to build and successful promotion.