Enable Advanced Scans in your environment to start scanning your artifacts.
Enable Advanced Scans
Advanced Scans are configured per repository. The repository must be indexed by Xray, for more information, seeIndexing Resources. Advanced Scans are applied on newly scanned artifacts only, and not on existing indexed artifacts. You can also run contextual analysis and exposures scans on an existing artifact. To learn more about it, see Exposures Scans and Contextual Analysis.
If you would like to enable the scanning categories, do the following:
Go to theAdministrationmodule, go toXray | Settings | General,and clickIndexed Resources.
Select the repository or build and selectConfigure.
Select the categories you want to enable:
 |
Create a Security Policy with Advanced Scans Rules
Policies enable you to create a set of rules, in which each rule defines security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them toWatches. To learn more on how to create a Policy, seeCreating Xray Policies and Rules.
We recommend creating Policies to get focused list of violations based on your security criteria.
You can create a security policy with exposures and contextual analysis-specific rules. A violation is issued when the criteria you set are met. You can view issued violations either fromScans ListorWatch Violationspages.
Create an Exposures Policy
In theAdministrationmodule, underXray, selectWatches & Policiesand from thePoliciestab clickNew Policy.
Select the policy rule typeSecurity.
ClickNew Rule, and from theTypedrop-down, selectExposures.
Select theMinimal JFrog Severity. The severity given by the JFrog Security Research team after the manual analysis of the CVE by the team.This specifies that a violation is issued only if the selected severity is met.
Select one or more exposure categories. This specifies that a violation is issued only for the selected categories.
Define the automatic actions that determine the automatic response to a detected Policy violation. For more information, seeCreating Xray Policies and Rules.
Create a Contextual Analysis Policy
In theAdministrationmodule, underXray, selectWatches & Policiesand from thePoliciestab clickNew Policy.
Select the policy rule typeSecurity.
Check the Skip not applicable CVEs checkbox. By selecting this option, the Policy will not issue any violations on CVEs that were found not applicable by the Contextual Analysis scanners.
REST API SUPPORT
The following REST APIs support JAS in Policies: