Step 3: Scan for OSS Security Vulnerabilities and Compliance

JFrog Hosting Models Documentation

Content Type
User Guide

This step will walk you through defining a Policy, assigning it to a Watch, selecting a repository to monitor, and running your scan!

  1. Navigate to the Administration Module. Click on the Xray Security & Compliance menu and the Indexed Resources menu item.

  2. Add your “docker-quickstart-local”, “docker-quickstart-remote” repositories to your indexed resources by clicking Add a Repository.


    Keep in mind for your future work that indexing all repositories is resource intensive. It is recommended to select only the repositories you need to scan according to your organization needs.

  3. Define a security policy that you will later enforce in a watch.

    • Navigate to the Application module, expand the Security & Compliance menu and click the Policies menu item.

      Application module Security and Compliance menu Policies.png
    • Create a new policy called “docker-security”, of type Security, with a rule called “docker-all-severities” set with All-Severities.

  4. Define a watch that includes your new security policy.

    • Navigate to the Application module, expand the Security & Compliance menu and click the Watches menu item.

    • Create a new watch called “sample-watch”, with your 2 repositories (“docker-quickstart-local” and “docker-quickstart-remote”) and your “docker-security” policy assigned to it by clicking Manage Policies.

      Watches, Policies & Rules

      Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches. Rules define the behaviors that we want to enforce.

  5. Run your scan by hovering over your watch and clicking Apply on Existing Content to manually trigger it.


    The Xray scan may take some time to complete and show the vulnerabilities results. You can return to this step later to see your vulnerabilities.

  6. View any discovered vulnerabilities by clicking on your watch.