Scan Release Bundles (v2) with Xray

JFrog Artifactory Documentation

Products
JFrog Artifactory
Content Type
User Guide
ft:sourceType
Paligo

Subscription Information

This feature is supported with Enterprise X and Enterprise+ licenses.

As a Release Bundle is promoted through different environments towards production and eventual distribution to Distribution Edge nodes, it is crucial to ensure that the Release Bundle does not contain potential security risks.

JFrog Xray enables you to validate the security risk of a Release Bundle v2 and optionally prevent its promotion and distribution when a risk is detected.

Note

The ability to scan Release Bundles v2 requires Artifactory version 7.68.6 or later and Xray version 3.82.6 or later.

The workflow for scanning Release Bundles v2 is described below.

One-time setup procedures performed by a Security Admin:

  • Step 1 - Index Resources

    In order for Xray to scan the Release Bundle v2, the resource must first be indexed. For more information, see Indexing Xray ResourcesIndexing Xray Resources

  • Step 2 - Create Security Policies 

    An Xray administrator can create policies with specific rules, that if violated, can trigger actions including blocking the Release Bundle from being promoted and/or distributed.

    For more information about policies, see Creating Xray Policies and Rules.Creating Xray Policies and Rules

  • Step 3 - Attach Policies to Watches

    Watches apply a defined policy to specific indexed resources. Use Watches to ensure that Release Bundles are scanned by the appropriate policy. For more information, see Configuring Xray Watches.Configuring Xray Watches

Procedures performed during the software development process:

  • Step 4 - Scan Release Bundles

    Xray scans the Release Bundle as soon as it exists as an indexed resource. Any vulnerabilities discovered in the artifacts that comprise the Release Bundle can be viewed in the Xray Scan List.Xray Scan Results

    When you act to promote or distribute a Release Bundle, the status of the scan is retrieved from Xray. If Xray detects that the Release Bundle violates one of the rules in the policy defined by the Watch, Xray performs the action defined by the policy. These actions can include blocking the promotion or distribution operation.

    Note

    The status of the promotion or distribution action remains PROCESSING until the scan is complete.

    If the policy blocks the Release Bundle from being promoted or distributed, you can view a list of violations in Xray.

  • Step 5 - View, Evaluate, and Resolve Scan Results

    You can view the scan results by navigating to the Scans List page in Xray.

    Resolve the security issues as necessary to proceed with promotion and distribution. For more information about the different scans provided by Xray and how to resolve issues, see Xray Scan Results.Xray Scan Results

    Tip

    You can also collect scan results using REST APIs:

Understanding the Blocking Process

A Release Bundle v2 is blocked by Xray from being promoted and/or distributed when all of the following conditions are met:

  • Xray 3.82.6 or higher is installed, enabled, and available.

    Note

    There is an optional Xray setting that allows promotion and distribution without scanning if Xray is enabled but unavailable. For more information, see the section, Advanced Settings in Configuring Xray.Configuring Xray

  • The Release Bundle has been indexed as a resource.

  • There is a Watch defined that ties together this Release Bundle with a policy that triggers an action (for example, blocking promotion and/or distribution) if the criteria defined by the policy are met. For example, if a direct vulnerability of a certain severity is discovered in one of the scanned artifacts that comprise the Release Bundle, promotion and distribution of the Release Bundle are blocked.

Note

In certain circumstances, the indexing process might take a long time to complete. There is a defined timeout setting, which if exceeded, causes the promotion or distribution action to fail if indexing is still in progress or otherwise stuck.