Onboarding Best Practices: JFrog Xray

Get Started with the JFrog Platform

Content Type
Administration / Platform
ft:sourceType
Paligo

Overview

Introducing a security and compliance scanning tool into your organization can be challenging. These best practices, learned from customers, will provide you with the tools for successfully deploying JFrog Xray into your organization.

Xray Quick Scan Guide

This guide will take you through configuring your JFrog Platform instance to start displaying security and license information about the artifacts in your JFrog Artifactory as fast as possible.

Before you start

Install and connect JFrog Xray to your Platform instance.

Note

This guide is also available in PDF version.

1. Select a repository to scan for vulnerabilities and licenses

Start by selecting one repository.

Navigate to the Administration Module. Click on the Xray Security & Compliancemenu and the Indexed Resources menu item.

1 Administration module tab.png

Add one repository you’d like to index to your indexed resources by clicking Add a Repository.

2. Add repo to index.png

2. Index your repository

Click on “Index Now” to index the existing artifacts in this repository.

Note

If this is not done, only newly added artifacts will be indexed.

3 Index repository.png

3. View a scanned artifact

Use the advanced search bar, at the top of your screen, to find the recently scanned artifacts.

Navigate to the Application module.

4 Application module tab.png

Select Security & Compliance from the search dropdown menu.

5 Security and Compliance.png

Click on the advanced search icon.

6 Advanced search.png

Set the “By Scan Date” to today’s date. Click on the Artifacts tab. This will display the artifacts as they are being indexed. Click the “Show in Tree” Xray icon to see the Xray data for a specific artifact.

7 Security and Compliance search.png

4. View vulnerabilities and licenses issues

Go to the Xray tab to see the vulnerabilities and license issues associated with this artifact.

You’ll be able to see the identified open-source components in the Descendents tab, vulnerabilities in the Security tab and attached licenses in the Licenses tab.

8 Xray security tab.png

What's next

Add more repositories to the index. It is recommended to add a group at a time and wait for them to get indexed before moving to the next group.

Onboarding Xray Best Practices

This video focuses on two keys to success, 1. involving R&D and 2. starting small and working in cycles.

1. Involve R&D

This means shifting left, making security and compliance part of the developer workflow. Here’s how you can achieve this within the JFrog Platform.

Repository Structure

Creating Artifactory repositories per team and phase in the SDLC (or folders inside repositories), enables each team to handle their specific security and compliance violations. Alongside using the standard central remote repositories such as DockerHub.

Artifactory central remote repositories.png
Artifactory repositories per team.png
Watch Structure

Managing violations per team and phase in the SDLC, by creating a watch per such, enables isolated responsibility of security governance.

Note

A Watch groups together a set of resources, such as repositories, folders, and builds. Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches.Configuring Xray WatchesCreate Watches and Policies for Xray

The following example shows a watch that includes all of the resources forTeam-1-Dev.