From version 2.9.0, Jenkins Artifactory Plugin is integrated with JFrog Xray through JFrog Artifactory allowing you to have build artifacts scanned for vulnerabilities and other issues. If issues or vulnerabilities are found, you may choose to fail a build job or perform other actions according to the Pipeline script you write. This integration requires JFrog Artifactory v4.16 and above and JFrog Xray v1.6 and above.
You may scan any build that has been published to Artifactory. It does not matter when the build was published, as long as it was published before triggering the scan by JFrog Xray.
The following instructions show you how to configure your Pipeline script to have a build scanned.
First, for Xray to scan builds, you need to configure a Watch with the right filters that specify which artifacts and vulnerabilities should trigger an alert, and set a Fail Build Job Action for that Watch. You can read more about CI/CD integration with Xray here.
Now you can configure your Jenkins Pipeline job to scan the build.. Start by creating a scanConfig instance with the build name and build number you wish to scan:
def scanConfig = [ 'buildName' : 'my-build-name', 'buildNumber' : '17', // Only if this build is associated with a project in Artifactory, set the project key as follows. 'project' : 'my-project-key' ]
If you're scanning a build which has already been published to Artifactory in the same job, you can use the build name and build number stored on the buildInfo instance you used to publish the build. For example:
server.publishBuildInfo buildInfo def scanConfig = [ 'buildName' : buildInfo.name, 'buildNumber' : buildInfo.number, // Only if this build is associated with a project in Artifactory, set the project key as follows. 'project'. : 'my-project-key' ]
Before you trigger the scan, there's one more thing you need to be aware of. By default, if the Xray scan finds vulnerabilities or issues in the build that trigger an alert, the build job will fail. If you don't want the build job to fail, you can add the 'failBuild' property to the scanConfig instance and set it to 'false' as shown here:
def scanConfig = [ 'buildName' : buildInfo.name, 'buildNumber' : buildInfo.number, // Only if this build is associated with a project in Artifactory, set the project key as follows. 'project' : 'my-project-key', 'failBuild' : false ]
OK, we're ready to initiate the scan. The scan should be initiated on the same Artifactory server instance, to which the build was published:
def scanResult = server.xrayScan scanConfig
That's it. The build will now be scanned. If the scan is not configured to fail the build job, you can use the scanResult instance returned from the xrayScan method to see some details about the scan.
For example, to print the result to the log, you could use the following code snippet:
echo scanResult as String
For more details on the integration with JFrog Xray and JFrog Artifactory to scan builds for issues and vulnerabilities, see CI/CD Integration in the JFrog Xray documentation.