Onboarding Best Practices: JFrog Xray

Start by selecting one repository.

Navigate to the Administration Module. Click on the Xray Security & Compliancemenu and the Indexed Resources menu item.

Add one repository you’d like to index to your indexed resources by clicking Add a Repository.

Click on “Index Now” to index the existing artifacts in this repository.

Use the advanced search bar, at the top of your screen, to find the recently scanned artifacts.

Navigate to the Application module.

Select Security & Compliance from the search dropdown menu.

Click on the advanced search icon.

Set the “By Scan Date” to today’s date. Click on the Artifacts tab. This will display the artifacts as they are being indexed. Click the “Show in Tree” Xray icon to see the Xray data for a specific artifact.

Go to the Xray tab to see the vulnerabilities and license issues associated with this artifact.

You’ll be able to see the identified open-source components in the Descendents tab, vulnerabilities in the Security tab and attached licenses in the Licenses tab.

Add more repositories to the index. It is recommended to add a group at a time and wait for them to get indexed before moving to the next group.

This means shifting left, making security and compliance part of the developer workflow. Here’s how you can achieve this within the JFrog Platform.

Repository Structure

Creating Artifactory repositories per team and phase in the SDLC (or folders inside repositories), enables each team to handle their specific security and compliance violations. Alongside using the standard central remote repositories such as DockerHub.

Watch Structure

Managing violations per team and phase in the SDLC, by creating a watch per such, enables isolated responsibility of security governance.

Note

A Watch groups together a set of resources, such as repositories, folders, and builds. Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches.Configuring Xray WatchesCreate Watches and Policies for Xray

The following example shows a watch that includes all of the resources forTeam-1-Dev.

Starting the onboarding process with one team will enable you to learn what works and apply the new processes to additional teams in your organization.

Your First Policy

Define a policy that creates violations only for “High” issues, without any actions such as failing builds, preventing downloads, and sending notifications.

This will allow you to sort through each of the violations, and choose either to fix or add to an Allow List using an ignore rule. Once all high-severity issues are cleaned up, actions can be introduced to notify in case of new detected high-severity violations.

This process should be repeated for the medium-severity and low-severity issues.

This is an example of a policy rule without any actions (image 1).

This is an example violations report for Team-1-Dev, showing all the identified high-severity violations.

This is an example of a vulnerable Debian package being used, which can be replaced and fixed.

This is an example of creating an ignore rule that will allow a violation.

This is an example of a policy rule with automatic actions of blocking downloads, blocking release bundles, and failing builds.

Continue to the next team and start the process all over. Once you have two to three initial teams, start the process with the rest of the R&D team, with the help of these initial teams.