Secure your Software Supply Chain with Xray and Lightstep Incident Response

Securing your software supply chain requires proactively identifying compliance issues and security vulnerabilities early in your software development lifecycle. Additionally early detection must be coupled with an organized and agile method of response that brings together developers, operations and SRE teams to accelerate remediation workflows across the organization.

To meet these challenges, we are excited to offer a new integration with JFrog Xray and the Lightstep Incident Response (by ServiceNow.) With this integration organizations can combine JFrog Xray application security code scanning with Lightstep’s intelligent incident response and management capabilities, to identify compliance and security issues earlier in their DevOps pipeline and engage the necessary teams for timely response and remediation.

How it Works

With this integration, JFrog Xray violations are sent via a webhook into Lightstep where they surface as incidents and alerts. Once in Lightstep, they can be managed through Lightstep’s incident lifecycle management tools.

Each alert from Xray includes details about the vulnerability or license issue that provide helpful information for evaluation and response. From Lightstep, a response administrator can assign these incidents to dedicated SRE teams, set up automated actions, acknowledge incoming issues and compose notes, or even collaborate with other teams to accelerate the remediation.

How To Get Started

The JFrog Xray integration is available from within the Lightstep console:

  1. Select Integrations from the Lightstep console’s navigation pane.
  2. Click the JFrog Xray integrations card
  3. Fill out the details in the form to enable the integration.

You’ll then need to create a webhook endpoint in Lightstep for JFrog Xray to send automated real-time messages and information to Lightstep Incident Response. When you click Generate Webook, Lightstep will create a webhook URL for the secure endpoint. 

You can then use this webhook URL to configure the webhook in JFrog Xray

Once Lightstep and Xray are connected in this way, you can create security and license policies in JFrog Xray. You can specify rules for Xray to look for the specific CVEs, severity level, or other criteria that you care most about. In your policies, you can specify an automatic action to trigger the Lightstep webhook through the JFrog Platform event service when Xray discovers that policy has been violated, and send a violation event message to Lightstep.

Need More Information?
To see how to create Xray policies and watches, view this support video.


Everything is now ready for you to manage and remediate your Xray policy violations through Lightstep!

For more help, email