Policy Violation Automatic Actions

JFrog Security Documentation

ft:sourceType
Paligo

An action determines the automatic response to a detected Policy violation. You can define one or more action within each Policy Rule. Actions include the following:

  • Generate Violation (Minor, Major, Critical): The severity of the violations that is generated if the criteria is met.

  • Notify Email: This action lets you specify email addresses to which Xray should send an email message about a violation when one is triggered. For this to work, you need to have a mail server configured in Xray.

  • Notify Watch's Recipients: This action lets you send an email to all the watch recipients about a violation when triggered.

  • Notify Deployer: This action lets you send an email to the user that deployed the component about a violation when triggered.

  • Create Jira Ticket: This action enables the Jira ticket creation in the Policy rules

  • Trigger Webhook: This action lets you specify webhooks you have configured in Xray that should be invoked when a violation is triggered (See payload below).

  • Block Download: This action lets you specify that artifacts should be blocked for download and allows you to select one of these options:

    • Block Download: When set, Artifactory will block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch.

    • Block Unscanned: When set, Artifactory will block download of artifacts that meet the Artifact Filter specifications for this watch, but have not been scanned yet or the Xray data has been removed due to a retention policy. For more information on Xray Data Retention, see Indexing Xray Resources.

  • Block Release Bundle distribution: This action lets you specify that Release Bundles should be blocked for download if they meet the policy criteria rule.

  • Fail Build: This action lets you specify that if a CI server requests a build to be scanned, and the Watch triggers a violation, Xray will respond with an indication that the build job should fail.

    This action is only available if the Watch is defined with Builds as target type.

    • Grace Period: There are many cases where you do not want to fail the first build, for example, some violations are not showstoppers, and you would like to look into them later without stopping the build creation. You can set a grace period for a number of days that you define according to your needs. During the grace period you define, the build will not fail and all violations are ignored during this period. An automatic Ignore Ruleis created for the grace period with the following criteria:

      • On the specific vulnerability/license

      • On the specific component

      • On any version of the specific build

      • On the specific Policy

      • On the specific Watch

      Once the grace period ends, the Ignore Rule is deleted, and if the build contains violations, those violations are created and the build will fail.