Step 4: Scan for OSS Security Vulnerabilities and Compliance for Maven

Get Started with the JFrog Platform

Content Type
Administration / Platform

This step walks you through defining a Policy, assigning it to a Watch, selecting a repository to monitor, and running your scan!

  1. Navigate to the Administration Module.

  2. Click Xray | Settings under Services.

  3. Click Indexed Resources.

  4. Click Add a Repository and select “maven/gradle-challenge-local”, “maven/gradle-challenge-remote” repositories to indexed resources.

  5. Define a security policy that you can later enforce in a watch.

    • Click Xray | Watches & Policies under Services in the the Administration Module.

    • In the Policies tab, create a new policy called “maven/gradle-security”, of type Security, with a rule called “maven/gradle-high-severities” set with High-Severities.

  6. Define a watch that includes your new security policy. A watch provides context to a policy by assigning it to resources such as repositories.

    • Click Xray | Watches & Policies under Services in the the Administration Module.

    • Click the Watches tab and create a new watch called “sample-watch”, with your two repositories and your policy assigned to it by clicking Manage Policies.


      Watches, Policies & Rules

      Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches. Rules define the behaviors that we want to enforce.

  7. Run your scan by hovering over your watch and click Apply on Existing Content to trigger it manually.Configuring Xray Watches


    The Xray scan may take some time to complete and show the vulnerabilities results. You can return to this step later to see your vulnerabilities.

  8. View any discovered vulnerabilities by clicking on your watch.

Congratulations! You’re all set and ready to continue exploring the JFrog Platform.