The XrayScan native step triggers a JFrog Xray scan for security vulnerabilities and license compliance. If there was a watch created that covers the selected build, Xray will scan the indexed build artifacts.
YAML Schema
The YAML schema for XrayScan native step is as follows:
XrayScan
pipelines:
- name: <string>
steps:
- name: scan
type: XrayScan
configuration:
#inherits all the tags from bash
failOnScan: <boolean> # default true
inputResources:
- name: <BuildInfo resource> # required
trigger: false
outputResources:
- name: <BuildInfo resource> # optional
execution:
onStart:
- echo "Preparing for work..."
- echo "Prepping build environment"
onSuccess:
- echo "Job well done!"
onFailure:
- echo "uh oh, something went wrong"
onComplete: #always
- echo "Cleaning up some stuff"Tags
name
An alphanumeric string (underscores are permitted) that identifies the step.
type
Must be XrayScan for this step type.
configuration
Specifies all configuration selections for the step's execution environment. This step inherits the Bash/ PowerShell step configuration tags, including these pertinent tags:
Tag | Description of usage | Required/Optional |
|---|---|---|
| Must specify a BuildInforesource . The | Required |
| May specify a BuildInforesource. The BuildInfo will be updated with the | Optional |
In addition, these tags can be defined to support the step's native operation:
Tags derived from Bash
All native steps derive from the Bash step. This means that all steps share the same base set of tags from Bash, while native steps have their own additional tags as well that support the step's particular function. So it's important to be familiar with the Bash step definition, since it's the core of the definition of all other steps.
Tag | Description of usage | Required/Optional |
|---|---|---|
| When set to Default is | Optional |
execution
Declares collections of shell command sequences to perform for pre- and post-execution phases:
Tag | Description of usage | Required/Optional |
|---|---|---|
| Commands to execute in advance of the native operation | Optional |
| Commands to execute on successful completion | Optional |
| Commands to execute on failed completion | Optional |
| Commands to execute on any completion | Optional |
The actions performed for the onExecute phase are inherent to this step type and may not be overridden.
Note
onExecute, onStart, onSuccess, onFailure, and onComplete are reserved keywords. Using these keywords in any other context in your execution scripts can cause unexpected behavior.
Examples
The following examples show how to configure a XrayScan step.
Trigger an Xray Scan for Build Name and Number
Triggers an Xray scan for the build name and number provided by an input BuildInfo resource.
This example require a GitHub Integration and an Artifactory Integration.
The Pipelines DSL for this example is available in t his repository in the JFrog GitHub account.
XrayScan
template: true # required for local templates
valuesFilePath: ./values.yml
resources:
- name: app_repo
type: GitRepo
configuration:
gitProvider: {{ .Values.gitIntegration }}
path: {{ .Values.gitRepositoryPath }}
branches:
include: master
- name: app_buildinfo
type: BuildInfo
configuration:
sourceArtifactory: {{ .Values.artifactoryIntegration }}
- name: app_promoted_buildinfo
type: BuildInfo
configuration:
sourceArtifactory: {{ .Values.artifactoryIntegration }}
pipelines:
- name: app_dev_pipeline
steps:
- name: app_build
type: DockerBuild
configuration:
affinityGroup: docker_group
dockerFileLocation: .
dockerFileName: Dockerfile
dockerImageName: {{ .Values.artifactoryUrl }}/{{ .Values.sourceRepository }}/{{ .Values.imageName }}
dockerImageTag: ${run_number}
inputResources:
- name: app_repo
integrations:
- name: {{ .Values.artifactoryIntegration }}
- name: app_push
type: DockerPush
configuration:
affinityGroup: docker_group
targetRepository: {{ .Values.sourceRepository }}
integrations:
- name: {{ .Values.artifactoryIntegration }}
inputSteps:
- name: app_build
- name: publish_app_build
type: PublishBuildInfo
configuration:
affinityGroup: docker_group
inputSteps:
- name: app_push
outputResources:
- name: app_buildinfo
- name: xrayScanStep
type: XrayScan
configuration:
inputResources:
- name: app_buildinfo Update Output BuildInfo Resource
Updates an output BuildInfo resource that can be used as an input to future steps. Using an output resource means that you can be sure that those versions have been scanned when using that resource as an input.
XrayScan
pipelines:
- name: xrayScanPipeline
steps:
- name: xrayScanStep
type: XrayScan
configuration:
inputResources:
- name: inputBuildInfo
outputResources:
- name: outputBuildInfoHow it Works
When you use the XrayScan native step in a pipeline, it performs the following functions in the background:
jfrog rt config (if there is a BuildInfo output, configure the JFrog CLI with the credentials of the input BuildInfo resource)
jfrog rt use (specify the configured credentials to use)
jfrog rt build-scan (trigger a scan)
replicate_resource (if there is an output BuildInfo, copy the properties of the input BuildInfo resource to the output)
write_output (if there is an output BuildInfo, update the output BuildInfo resource buildName and buildNumber)