Stay Alert to Security With Xray and PagerDuty

When it comes to securing your software development against open source vulnerabilities, the earlier action occurs — by the right person — the safer you and your enterprise will be.

Many IT departments rely on the PagerDuty incident response platform to improve visibility and agility across the organization. The enterprise-quality incident management system provides reliable notifications, automatic escalations, on-call scheduling, and other functionality to help teams detect and fix infrastructure problems quickly.

JFrog Xray is the universal software vulnerability scanning solution that natively integrates with Artifactory as part of the JFrog DevOps Platform, giving DevSecOps teams an easy way to proactively identify open source vulnerabilities and license compliance violations, before they manifest in production.

We’ve made it easy to combine these two solutions through JFrog’s addition to the family of  PagerDuty Integration Partner Program’s Verified integrations.. With the PagerDuty integration for Xray, key personnel can receive PagerDuty notifications for security violations detected by JFrog Xray’s deep recursive scanning of artifacts.

Once the integration is configured, PagerDuty can turn any security or license policy alert into an incident report. This is useful to:

• Proactively manage security and compliance across the software development and software distribution lifecycle. Receive early notifications within PagerDuty on vulnerabilities and compliance violations impacting artifacts, builds and components before releasing to production.
• Customize notifications and configure granular policies within JFrog Xray based on the type of violation, severity and receive notifications on repositories, builds or release bundles of interest.
• Granular Visibility Receive a continuously updated list of impacted components and their associated dependencies as part of the notification payload sent by JFrog Xray to PagerDuty.

Integration For Vulnerabilities Vigilance

In the JFrog Platform, DevOps administrators can define granular watch policies based on type of violation and severity, and configure Xray to regularly scan repositories, builds, and release bundles against those policies. Administrators can associate these rules with an outbound event webhook, and any violations found will trigger sending the webhook. 

The PagerDuty integration for Xray can be associated with a PagerDuty service that will receive the webhook from Xray. Once received, PagerDuty can direct an incident report to an individual or group to let them know of the security or license violation detected by Xray.

Once Xray is configured to work for you, these benefits are yours:

• Deep recursive scanning examines all the underlying layers and dependencies of components, even those packaged in Docker images and ZIP files.
• Be confident with the most timely and comprehensive vulnerability intelligence VulnDB, plus other sources of vulnerabilities, license compliance, component versions and others.
• Unprecedented visibility of your artifacts and dependencies enables Xray to provide an impact analysis of any issues discovered in your software.

Quick and Easy Security

We’ve provided detailed instructions with the integration, but integrating Xray with PagerDuty takes these three simple steps:

1. Configure PagerDuty

Add the PagerDuty integration for Xray to a new or existing PagerDuty service. Note the integration key provided by PagerDuty.

PagerDuty is now ready to receive notifications from Xray through a webhook. You can configure the service to direct incident reports to the persons or groups who should receive them.

2. Add Webhook to JFrog Platform

In the JFrog Platform, add a new webhook for the PagerDuty Events API in the Admin > General > Webhooks tab.

Great! Now your JFrog Platform is ready to talk to PagerDuty, and PagerDuty is ready to listen.

3. Configure Xray Policy Rules and Watches

For each Xray policy setting you want to send an incident report for, configure its Policy Rule to Trigger Webhook, and select the PagerDuty Xray integration webhook that you created.

Once you’ve set up your rule, configure watches for the resources (repositories, builds, release bundles) you want to scan for any violations of that policy.

Stay Alert, Stay Safe

If you aren’t already using Xray, it’s easy to start exploring its capabilities and the benefits of the JFrog DevOps platform with a free cloud subscription on the cloud platform provider of your choice. And you can start issuing notifications right away!

With the PagerDuty integration for Xray, it’s easy to make Xray’s security scanning a vigilant part of your incident management system. Through PagerDuty, you can help ensure that the right personnel are immediately alerted to the types of security and license violations you most care about.