Xray Policies: Govern Your Software Supply Chain with Ease

In modern software, there are many important aspects to governing software. You no longer only care for the quality of your own code, but also care for the quality, security, integrity, legal and other aspects of the open source packages that you use.

The knowledge of how to handle the risks in these quality domains exists across different teams in the organization such as the security/DevSecOps team, legal departments, CTO office, etc. and the practices they use may differ depending on the many parameters such as the severity of the risk, the popularity/maintenance of the package and the the nature of the project using it within the organization.

To translate these company governance policies to some kind of configuration that is easy to understand, extend and maintain is not a simple task.

The latest JFrog Xray 2.2 release introduced an enhanced mechanism for defining and enforcing governance standards on your binaries, bringing additional security and compliance to your software dependencies. You can now represent your different organizational security and license compliance behaviors and strategies in Xray and then easily enforce them on different contexts of your software projects.

What’s a Policy in Xray?

Policies allow you to define a set of standard governance behavior specifications for your organization. Each policy type determines the governance domain in which the behavior specifications should apply on. The two initial policy types that were recently introduced are security and license. Additional policy types will be provided in future releases.

Each policy consists of a set of rules, each rule defines a license/security criteria, with a corresponding set of automatic actions according to your needs. The following diagram describes the flow from the introduction of a new artifact in your repository to scanning and potential automatic actions.

Policies + Watches = Flexible Governance

A policy is contextless, which means that it only defines the specifications of what should be enforced, but not what to enforce it on. Policies are enforced by assigning them to Watches. A single policy can be assigned to many watches. A single Watch may have multiple Policies assigned to it.

Watches only define the scope of the resources you want to watch. You can define a policy once and assign it to as many watches as you like.

When scanning an artifact, Xray completes the following steps:

• Checks Target Resources: Checks if the artifact exists in a watch target resource.
• Checks Filters: Checks if the artifact matches all of the filters in the found watches.
• Processes Assigned Policies: Xray independently processes all of the policies in the found watches. For each assigned policy in a watch, Xray performs the following steps:
  • Processes the rules according to priority.
  • Checks the criteria of the rule.
  • If the criteria is met, Xray generates a violation, the automatic actions are executed and the policy is considered as processed. There is no need to continue to the next rules in the policy.
  • If the criteria is not met, Xray continues to the next rule.
  • In case none of the rules are met, the policy is considered as processed, and Xray continues to the next policy if exists.

Creating a security policy

Creating a license policy

The Value in Policies

Separating the behavior you want to enforce from the context you want to enforce it on provides you with the following key values:

• Efficiency. Reduce work and save time by configuring your policies once and assigning them to multiple watches.
• Flexibility. Configure multiple behaviours with additional functionality such as priority of your security rules.
• Separate Concerns. Delegate permissions to different teams in your organization. Everything related to resources and filters is in the watch, and everything related to security and license compliance is in policies.

Start your free trial and get started with JFrog Xray today!