Introducing a security and compliance scanning tool into your organization can be challenging. These best practices, learned from customers, will provide you with the tools for successfully deploying JFrog Xray into your organization.
Xray Quick Scan Guide
This guide will take you through configuring your JFrog Platform instance to start displaying security and license information about the artifacts in your JFrog Artifactory as fast as possible.
Before you start
This guide is also available in PDF version.
1. Select a repository to scan for vulnerabilities and licenses
Start by selecting one repository.
Navigate to the Administration Module. Click on the Xray Security & Compliancemenu and the Indexed Resources menu item.
Add one repository you’d like to index to your indexed resources by clicking Add a Repository.
2. Index your repository
Click on “Index Now” to index the existing artifacts in this repository.
If this is not done, only newly added artifacts will be indexed.
3. View a scanned artifact
Use the advanced search bar, at the top of your screen, to find the recently scanned artifacts.
Navigate to the Application module.
Select Security & Compliance from the search dropdown menu.
Click on the advanced search icon.
Set the “By Scan Date” to today’s date. Click on the Artifacts tab. This will display the artifacts as they are being indexed. Click the “Show in Tree” Xray icon to see the Xray data for a specific artifact.
4. View vulnerabilities and licenses issues
Go to the Xray tab to see the vulnerabilities and license issues associated with this artifact.
You’ll be able to see the identified open-source components in the Descendents tab, vulnerabilities in the Security tab and attached licenses in the Licenses tab.
Add more repositories to the index. It is recommended to add a group at a time and wait for them to get indexed before moving to the next group.
Onboarding Xray Best Practices
This video focuses on two keys to success, 1. involving R&D and 2. starting small and working in cycles.
1. Involve R&D
This means shifting left, making security and compliance part of the developer workflow. Here’s how you can achieve this within the JFrog Platform.
Creating Artifactory repositories per team and phase in the SDLC (or folders inside repositories), enables each team to handle their specific security and compliance violations. Alongside using the standard central remote repositories such as DockerHub.
Managing violations per team and phase in the SDLC, by creating a watch per such, enables isolated responsibility of security governance.
A Watch groups together a set of resources, such as repositories, folders, and builds. Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches.
The following example shows a watch that includes all of the resources forTeam-1-Dev.