Overview
Introducing a security and compliance scanning tool into your organization can be challenging. These best practices, learned from customers, will provide you with the tools for successfully deploying JFrog Xray into your organization.
Xray Quick Scan Guide
This guide will take you through configuring your JFrog Platform instance to start displaying security and license information about the artifacts in your JFrog Artifactory as fast as possible.
Before you start
Install and connect JFrog Xray to your Platform instance.
Note
This guide is also available in PDF version.
1. Select a repository to scan for vulnerabilities and licenses
Start by selecting one repository.
Navigate to the Administration Module. Click on the Xray Security & Compliancemenu and the Indexed Resources menu item.
Add one repository you’d like to index to your indexed resources by clicking Add a Repository.
2. Index your repository
Click on “Index Now” to index the existing artifacts in this repository.
Note
If this is not done, only newly added artifacts will be indexed.
3. View a scanned artifact
Use the advanced search bar, at the top of your screen, to find the recently scanned artifacts.
Navigate to the Application module.
Select Security & Compliance from the search dropdown menu.
Click on the advanced search icon.
Set the “By Scan Date” to today’s date. Click on the Artifacts tab. This will display the artifacts as they are being indexed. Click the “Show in Tree” Xray icon to see the Xray data for a specific artifact.
4. View vulnerabilities and licenses issues
Go to the Xray tab to see the vulnerabilities and license issues associated with this artifact.
You’ll be able to see the identified open-source components in the Descendents tab, vulnerabilities in the Security tab and attached licenses in the Licenses tab.
What's next
Add more repositories to the index. It is recommended to add a group at a time and wait for them to get indexed before moving to the next group.
Onboarding Xray Best Practices
This video focuses on two keys to success, 1. involving R&D and 2. starting small and working in cycles.
1. Involve R&D
This means shifting left, making security and compliance part of the developer workflow. Here’s how you can achieve this within the JFrog Platform.
Repository Structure
Creating Artifactory repositories per team and phase in the SDLC (or folders inside repositories), enables each team to handle their specific security and compliance violations. Alongside using the standard central remote repositories such as DockerHub.
Watch Structure
Managing violations per team and phase in the SDLC, by creating a watch per such, enables isolated responsibility of security governance.
Note
A Watch groups together a set of resources, such as repositories, folders, and builds. Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches.
The following example shows a watch that includes all of the resources forTeam-1-Dev.
2. Start Small & Work in Cycles
Starting the onboarding process with one team will enable you to learn what works and apply the new processes to additional teams in your organization.
Your First Policy
Define a policy that creates violations only for “High” issues, without any actions such as failing builds, preventing downloads, and sending notifications.
This will allow you to sort through each of the violations, and choose either to fix or add to an Allow List using an ignore rule. Once all high-severity issues are cleaned up, actions can be introduced to notify in case of new detected high-severity violations.
This process should be repeated for the medium-severity and low-severity issues.
This is an example of a policy rule without any actions (image 1).
This is an example violations report for Team-1-Dev, showing all the identified high-severity violations.
This is an example of a vulnerable Debian package being used, which can be replaced and fixed.
This is an example of creating an ignore rule that will allow a violation.
This is an example of a policy rule with automatic actions of blocking downloads, blocking release bundles, and failing builds.
What's Next
Continue to the next team and start the process all over. Once you have two to three initial teams, start the process with the rest of the R&D team, with the help of these initial teams.