JFrog Advanced Security Readiness Checking

JFrog Installation & Setup Documentation

Content Type
Installation & Setup
ft:sourceType
Paligo

Tip

You are in Step 4, the final step of the JFrog Advanced Security installation. If you haven't done the previous steps, refer to Installing JFrog Advanced Security

The following steps will help you validate if your Self-Hosted JFrog Platform is correctly configured and ready with the JFrog Advanced Security service.

Starting with Xray version 3.107.x for Self-Hosted, we have implemented a specialized Advanced Security health check monitoring feature. This feature will assist you in determining which components are operational or absent, ensuring your Advanced Security service runs effectively.

Enabling Health Check Cron Job
  • For Helm Installation: Add the following setting in your helm upgrade command

    --set jas.healthcheck.enabled=true
  • For RPM/DEB/Docker Compose Installation: Configure this in the JFrog Advanced Security installation script.

You can see the feature was enabled in the platform in Administration > Xray Settings.

Screenshot_2024-11-25_at_12_15_35.png

Once activated, you can check the status in the upper banner Administration > Xray Settings > Monitoring

Screenshot_2024-11-25_at_12_16_22.png
Health Check Indicators
Troubleshoot the JFConnect Microservice

JFConnect microservice acts as the JPD (JFrog Deployment) entitlements service and enables dynamic entitlement allocation for the connected products, based on account/subscription changes in JFrog’s main entitlements server. For more information on the service, see JFConnect Microservice.

  1. Make sure JFconnect is enabled in your JFrog platform system.yaml setting file. Allocate JFConnect in the JFrog platform system.yaml, at the global level and make sure it is enabled:

    Jfconnect:
      enabled: true
  2. If you run behind a proxy add jfconnect proxy settings. Make sure the below additional settings are in place:

    jfconnect: enabled: true
    env:
      http_proxy: "http://yourproxyaddress/"
      https_proxy: "http://yourproxyaddress"
      no_proxy: "localhost,127.0.0.1"
  3. Restart your JFrog system and check again to see if JFConnect is functioning as expected. To verify that the JFConnect microservice is operating correctly, please follow these steps:

    1. Call the following URL: https://your.domain//ui/api/v1/jfconnect/entitlements

    2. You should receive an array containing entitlement information (it should not be empty).

If you do not see the expected results, please consult the JFConnect help center for further assistance. An empty array indicates that JFConnect is not functioning properly. If the service continues to have issues, please reach out to your JFrog technical support representative.

Ensure your JFrog Platform instance has the necessary entitlements for JFrog Advanced Security

Follow these steps to verify that JFrog Advanced Security is enabled in your JFrog Platform environment:

  1. Access the following URL: https://your.domain/ui/api/v1/jfconnect/entitlements.

  2. The expected output is an array of entitlements, that includes the JFrog Advanced Security entitlement.

  3. To find the JFrog Advanced Security entitlements, search for ‘secrets_detection’ in the returned response.

Example:

{
      "name": "secrets_detection",
      "value": 1,
      "expiryDate": "2026-07-20T00:00:00.000Z",
      "productExpiryDate": "2026-07-20T00:00:00.000Z",
      "isTrial": true,
      "customerId": "",
      "blockingQuantity": 1,
      "dependentOnAction": xray_advanced_actions
 }

If you got an empty result please refer to the troubleshooting jfconnect micro service section.

If you have the entitlement information but are missing the JFrog Advanced Security details in the returned data, it likely indicates that JFrog has not assigned you the necessary JFrog Advanced Security entitlement. Please reach out to your JFrog sales representative or JFrog support for assistance.

Ensure your Advanced Security K3S/K8S is configured correctly

The Advanced Security feature utilizes K8S for Helm and OpenShift installations, and K3S for DEB, RPM, or Docker Compose installations. Our health check procedure ensures that all nodes are operational and that communication between services is functioning properly.

Error Example

kubernetes_job_status_contextual_analysis": "Got timeout for job jas-health-check-72ab496c-fe70-4a7b-960b-1b0b52899b48, events: [\n\t{\n\t\t\"type\": \"Warning\",\n\t\t\"reason\": \"FailedScheduling\",\n\t\t\"firstTimestamp\": \"0001-01-01T00:00:00Z\",\n\t\t\"message\": \"0/1 nodes are available: 1 Insufficient cpu, 1 Insufficient memory. preemption: 0/1 nodes are available: 1 No preemption victims found for incoming pod..\"\n\t}\n]",

If this check fails, please verify the following:

  • Ensure you have sufficient processor and memory resources.

  • For Helm/OpenShift installations, confirm that you have configured the Service Account and RBAC authorization properly. Refer to the instructions here: JFrog Advanced Security Installation Guide

  • For DEB/RPM/Docker Compose installations, ensure your K3S setup is correct.

    sudo systemctl status k3s
    sudo k3s kubectl get nodes
Ensure Your Advanced Security Containers Accessibility

The Advanced Security feature utilizes containers to perform scans. Our health check process ensures the accessibility and operational status of JFrog Advanced Security containers, identifying any access restrictions or network issues impacting container communication.

Error example

\"releases-docker.jfrog.io/jfrog/xray-jas-contextual-analysis:3.999.99-feature-XRAY-80150-3-24\": failed to pull and unpack image 

If this check fails, please verify the following:

Ensure Proper Synchronization of your Advanced Security Database.

The Advanced Security feature requires two additional database packages, along with the Xray database package: Contextual Analysis and Exposures. In the case of online database synchronization, both packages are automatically incorporated into the broader Xray database synchronization process.

For offline synchronization, please refer to the instructions available on the administration Xray DB sync screen. (Administration > Xray Settings > Database Sync).

If this check fails, please do the following:

  • Manually initiate the DBSYNC process to maintain data consistency and address errors.

  • Verify that adequate disk space is available.

  • Ensure that the disks utilized for Xray and its database are SSDs that meet the required IOPS specifications.