4 Ways Xray and Artifactory Complete DevSecOps

Being universal is a huge part of what makes JFrog Artifactory so effective. Whether you use Jenkins, CircleCI, or Bitbucket to automate your CI/CD pipeline, Artifactory works with those and more. Whether you prefer to store your artifacts in an on-premises filestore or in the cloud, Artifactory will manage them. Which cloud? Artifactory is content with them all.

Artifactory works with the tools you use. And if your tools change, Artifactory can make the move with you.

Yet when we made JFrog Xray, our security scanning tool, we decided it would exclusively be a complementary product to Artifactory for DevSecOps. Given our commitment to letting you choose, you might wonder: Why?

Why It Matters for a Repository Manager

Like Artifactory, Xray is universal in its support for many package types. Whether you use Maven, Gradle, npm, NuGet, RubyGems, Docker or more, Xray will help you keep security risks out of your released builds and assure compliance with your license policies.

Security isn’t a standalone concern, so Xray isn’t a standalone solution. We believe that identifying vulnerabilities for DevSecOps is inseparable from traceability of your builds. Security and license compliance can’t be an afterthought; it has to be woven tightly into your artifact management system, so once you’re alerted to a vulnerability in your application, you can know how it got there and how it impacts everyone else.

Security isn’t a standalone concern, so Xray isn’t a standalone solution. Your binary repository manager and security scanning need to work together for a true shift-left strategy. Click To Tweet

For a true shift-left strategy to succeed, your binary repository manager and security scanning need to work together throughout your SDLC. Here are the top benefits when they do:

1. Native Integration

Like all JFrog products, Xray readily installs into a virtual machine or Kubernetes cluster, and its friendly setup gets you up and running quickly. There are no complicated integration decisions to make; just point Xray to the URL of Artifactory, enter your license key and you’re ready to start!

Once Xray is installed and running, its features are immediately accessible through Artifactory, where you can enable your repositories for security and license scans. There’s no new UI to set up or learn, it’s the same one you’ve been using to monitor the artifacts in your SDLC pipeline all along. With Xray, Artifactory just has more to tell you about each artifact.

There’s no anxiety about taking an update to Artifactory or Xray, either. As complementary tools, they’re always guaranteed to integrate well together, so updates can always be made without any downtime to re-integrate or perform lengthy validation tests. You’re assured these paired products will work together cleanly after even the most feature-rich update.

2. Radical Transparency

On immediate connection to Xray, all of your Artifactory repositories become security-scanning capable, offering new, radically transparent insight into your software component architecture.

To start, Artifactory’s repositories can be configured to trigger Xray’s recursive scans of all the components in your system, doggedly drilling down to analyze even the smallest binary component that affects your software.

What’s more, Xray continuously scans and analyzes existing components in those repositories, even those long since deployed to production, to provide alerts and notifications for just-discovered vulnerabilities.

Being naturally integrated into Artifactory, Xray is in a unique position to analyze, on an ongoing basis, not just individual binary artifacts, but the relationships between those artifacts. That creates an extraordinary transparency into the packages and binaries that compose your builds.

3. Rich Impact Analysis

Once Xray identifies the vulnerable artifacts in your repositories, you have the information that reveals how an issue in one component affects all others in your company. But how will you turn that data into understanding?

As manager of those repositories, Artifactory is best able to help you analyze those results and comprehend the impact that any vulnerability in one component has on any other.

Artifactory helps turn information from Xray into real knowledge, by displaying the chain of impact from a vulnerable binary in an impact analysis component graph. This helps give you a clear and comprehensive picture of the consequences of using the vulnerable component.

4. End-to-End Support

As the heart of your software development pipeline, Artifactory shepherds all the components of your applications from initial build through staging and release. Xray’s full integration into Artifactory brings security oversight into your entire software development life cycle from start to finish.

Xray even protects you beyond the release stage, continuing to scan the applications put into production from Artifactory’s repositories for newly discovered vulnerabilities. With KubeXray, you can even extend Xray’s protection to the container apps currently running in Kubernetes clusters.

As software changes accelerate, new vulnerabilities are introduced and discovered at an ever-greater pace. That requires a constant vigilance that covers your entire DevOps pipeline.

Risk never sleeps and, as a part of Artifactory, neither will Xray.