How to create Xray security policies and watches? [Video]

How to create Xray security policies and watches? [Video]
AuthorFullName__c
Or Naishtat
articleNumber
000004968
FirstPublishedDate
2020-12-24T13:02:27Z
lastModifiedDate
2025-05-14
VersionNumber
11
In this video, we will learn what are Xray security policies and watches, and how to create them.





Video Transcript: 

Hi, my name is Or N from J Support, and in this short video, I will show you how to create X-ray security policies and watches. But first, we will briefly discuss what are security policies and watches.
First, policies. Xray supports two types of policies: security and license. Every policy has its own rule, and every rule has its own criteria and its own automatic actions, which will take place for each package that meets the criteria.
As for watches, watches are our way to manage groups of resources. We can define a watch for a stage, for example, production or test; for a group, for example, Team A or Team B; and under this watch we can put all the relevant resources. Policies without a watch are essentially contextless — they exist but they are not applied to any defined resource.

Now, let's see how we define these policies and modules. To create a new security policy, we go to the Applications tab → Security and Compliance → Policies → Create a policy. In this page, I will name the policy, I will choose the type, and I can add a short description for the policy. Let's call our policy JFrog. In our case, we will be choosing security.

Now, we will create a new rule on the policy. Let's name the rule All. In here, we will define the criteria. If this criteria is matched, the automatic action will be C. So let's choose all severities, and actions I want to be triggered are generate violation, block download, and fail build. Save and create.

Now that the policy is created, we need to apply it to a watch. For that, we will go to Watches → Set up a watch. In this page, we will choose a name for the watch, we can add a description, add resources, and manage policies which will be applied to this watch.

As for the name, we will call this Production. Now let's add our repositories that are currently indexed by Xray. Now we will add the policy that we would like to apply to these resources in our group. This is the JFrog policy which we just created. Let's save and create.

Okay, so we have a watch with a policy. It's important to note that a watch can have a few policies applied. As of now, you can see that this watch has no violations, but it will be applied automatically to any new content that will be added.

In order to apply it to the existing content, we need to click this button: Apply to existing content, and we can choose the range and click OK.

Now, if we choose calculate again, we will see that our watch has 19 violations. You can view them here.

This was my video about Xray policies and watches. Thank you for watching, and I hope you enjoyed. Feel free to leave your comments, feedback, and questions in the comment section below.