This is a Step-by-Step Guide to Creating a Policy in Xray. To learn more about Policies, click here.
- Navigate to Xray → Watches & Policies.
- Click New Policy.
- Enter a Policy Name (e.g., "Production Security Policy").
- (Optional) Add a Description explaining the policy’s purpose.
- Choose the Policy Type:
- Security Policy – Detects vulnerabilities in artifacts.
- License Compliance Policy – Enforces open-source license rules.
- Operational Risk Policy – Flags outdated, deprecated, or unmaintained dependencies.
- Click Add Rule to create a new rule. Each policy consists of rules that define the conditions and enforcement actions.
- Apply on Scope attaches the Policy to a Watch. Policies are enforced through Watches, which monitor repositories, builds, and release bundles.
- Select an existing Watch.
- Click Save & Apply.
Security Policy Rules
If you selected Security Policy, configure one of the Rule Types
- CVEs
- Define the Rule Category:
- By Minimal Severity:
- Critical (Highest risk)
- High
- Medium
- Low (Least severe)
- All Severities
- By the CVSS Score Range (0-10)
- By specific CVE IDs
- By Minimal Severity:
- Enable Except if a Fix Version is not available to filter vulnerabilities without a fix version.
- Enable Skip not applicable CVEs to filter vulnerabilities that do not impact your environment. (JFrog Advanced Security required)
- Define the Rule Category:
- SAST
- Detects SAST issues in 1st party source code
- Malicious Packages
- Detects 3rd party packages that the JFrog Security Research team has identified as malicious.
- Exposures
- Select one or more exposure categories and set a Minimal Severity
- Package Version
- Select the package type
- Type the package name
- Select the package versions
Example Security Rules:
Block downloads of artifacts with Critical CVEs.
Fail builds if vulnerabilities have a CVSS score of 9 or higher.
Send email notifications for newly discovered High and Critical vulnerabilities.
License Compliance Policy Rules
If you selected License Compliance Policy, configure the License Rule Type:
- Banned Licenses – Prevents the use of specific licenses (e.g., GPL-3.0).
- Allowed Licenses – Ensures artifacts only use approved licenses.
Example License Compliance Rule:
Notify the use of GPL-3.0 and AGPL in production.
Allow only MIT, Apache 2.0, and BSD licenses.
Fail builds if a banned license is detected.
Operational Risk Policy Rules
If you selected Operational Risk Policy, configure the Rule Category:
- Minimal Severity
- High (Highest risk)
- Medium
- Low (Least severe)
- Custom Condition
- End-of-Life Software – Flags packages that are no longer maintained.
- Deprecated Components – Detects libraries marked as obsolete.
- Unmaintained Open-Source Projects – Flags packages with no updates in over 12 months.
- High-Impact Updates – Identifies major version changes with breaking updates.
Example Operational Risk Rule:
Alert developers if a dependency has not been updated in 12+ months.
Fail builds if a package is flagged as end-of-life.
Block downloads of deprecated components.
Set Enforcement Actions
Violation will be generated by default for each policy violation
- Trigger Webhook after the policy is violated
- Create a Jira ticket for each policy violation
- Notify the Watch recipient via email
- Notify the Developer of the resource via email
- Notify email for the configured email address list
- Fail builds if vulnerabilities are detected. You can add a grace period before a build fails, giving teams time to address policy violations without immediate disruption.`
- Block downloads of artifacts. You can add a grace period before an artifact is blocked from downloading, giving teams time to address policy violations without immediate disruption.
- Block Release Bundle Promotion and distribution actions in the Release Lifecycle. You can add a grace period before blocking promotion of Release Bundle, giving teams time to address policy violations without immediate disruption.`
Best Practices for Policy Configuration in Xray
- Use Separate Policies for Different Environments – Apply stricter policies in production than in development.
- Customize Severity Thresholds – Focus on critical risks first to avoid false positives.
- Enable Exposures and Contextual Analysis – Prioritize vulnerabilities that pose real-world threats.
- Regularly Review and Update Policies – Keep policies aligned with new security threats and compliance requirements.