Stay Alert to Security With Xray and PagerDuty

When securing your software development against open-source vulnerabilities, the earlier action occurs — by the right person — the safer you and your enterprise will be.

Many IT departments rely on the PagerDuty incident response platform to improve visibility and agility across the organization. The enterprise-quality incident management system provides reliable notifications, automatic escalations, on-call scheduling, and other functionality to help teams quickly detect and fix infrastructure problems.

JFrog Xray is the universal software vulnerability scanning solution that natively integrates with Artifactory as part of the JFrog DevOps Platform. It gives DevSecOps teams an easy way to proactively identify open-source vulnerabilities and license compliance violations before they manifest in production.

We’ve made it easy to combine these two solutions through JFrog’s addition to the family of  PagerDuty Integration Partner Program’s Verified integrations… With the PagerDuty integration for Xray, key personnel can receive PagerDuty notifications for security violations detected by JFrog Xray’s deep recursive scanning of artifacts.

Once the integration is configured, PagerDuty can turn any security or license policy alert into an incident report. This is useful for:

• Proactively manage security and compliance across the software development and distribution lifecycle. Receive early notifications within PagerDuty on vulnerabilities and compliance violations impacting artifacts, builds, and components before releasing them to production.
• Customize notifications and configure granular policies within JFrog Xray based on the type of violation and severity, and receive notifications on repositories, builds, or release bundles of interest.
• Granular Visibility Receive a continuously updated list of impacted components and their associated dependencies as part of the notification payload sent by JFrog Xray to PagerDuty.

Integration For Vulnerabilities Vigilance

In the JFrog Platform, DevOps administrators can define granular policies based on the type of violation and severity and configure Xray to regularly scan repositories, builds, and release bundles against those policies. Administrators can associate these rules with an outbound event webhook, and any violations found will trigger sending the webhook. 

The PagerDuty integration for Xray can be associated with a PagerDuty service that will receive the webhook from Xray. Once received, PagerDuty can direct an incident report to an individual or group to inform them of the security or license violation detected by Xray.

Once Xray is configured to work for you, these benefits are yours:

• Deep recursive scanning examines all components’ underlying layers and dependencies, even those packaged in Docker images and ZIP files.
• Be confident with a comprehensive vulnerability database compiled of public and private data sources that the JFrog security research team has enriched.
• Unprecedented visibility of your artifacts and dependencies enables Xray to provide an impact analysis of any issues discovered in your software.

Quick and Easy Security

We’ve provided detailed instructions for the integration, but integrating Xray with PagerDuty takes these three simple steps:

1. Configure PagerDuty

Add the PagerDuty integration for Xray to a new or existing PagerDuty service. Note the integration key provided by PagerDuty.

PagerDuty is now ready to receive notifications from Xray through a webhook. You can configure the service to direct incident reports to the persons or groups who should receive them.

2. Add Webhook to JFrog Platform

In the JFrog Platform, add a new webhook for the PagerDuty Events API in the Admin > General > Webhooks tab.

Great! Now, your JFrog Platform is ready to talk to PagerDuty, and PagerDuty is ready to listen.

3. Configure Xray Policy Rules and Watches

For each Xray policy setting you want to send an incident report for, configure its Policy Rule to Trigger Webhook, and select the PagerDuty Xray integration webhook you created.

Once you’ve set up your rule, configure watches for the resources (repositories, builds, release bundles) you want to scan for any policy violations. 

Stay Alert, Stay Safe

If you aren’t already using Xray, it’s easy to start exploring its capabilities and the benefits of the JFrog DevOps platform with a free cloud subscription to the cloud platform provider of your choice. And you can begin issuing notifications right away!

With the PagerDuty integration for Xray, it’s easy to make Xray’s security scanning a vigilant part of your incident management system. Through PagerDuty, you can help ensure that the right personnel are immediately alerted to the security and license violations you most care about.