Create Policies

This is a Step-by-Step Guide to Creating a Policy in Xray. To learn more about Policies, click here.

Navigate to Xray → Watches & Policies.
Click New Policy.
Enter a Policy Name (e.g., "Production Security Policy").
(Optional) Add a Description explaining the policy’s purpose.
Choose the Policy Type:
- Security Policy – Detects vulnerabilities in artifacts.
- License Compliance Policy – Enforces open-source license rules.
- Operational Risk Policy – Flags outdated, deprecated, or unmaintained dependencies.
Click Add Rule to create a new rule. Each policy consists of rules that define the conditions and enforcement actions.
Apply on Scope attaches the Policy to a Watch. Policies are enforced through Watches, which monitor repositories, builds, and release bundles.
Select an existing Watch.
Click Save & Apply.

If you selected Security Policy, configure one of the Rule Types

CVEs
1. Define the Rule Category:
  - By Minimal Severity:
    - Critical (Highest risk)
    - High
    - Medium
    - Low (Least severe)
    - All Severities
  - By the CVSS Score Range (0-10)
  - By specific CVE IDs
2. Enable Except if a Fix Version is not available to filter vulnerabilities without a fix version.
3. Enable Skip not applicable CVEs to filter vulnerabilities that do not impact your environment. (JFrog Advanced Security required)
SAST
1. Detects SAST issues in 1st party source code
Malicious Packages
1. Detects 3rd party packages that the JFrog Security Research team has identified as malicious.
Exposures
1. Select one or more exposure categories and set a Minimal Severity
Package Version
1. Select the package type
2. Type the package name
3. Select the package versions

Block downloads of artifacts with Critical CVEs.
Fail builds if vulnerabilities have a CVSS score of 9 or higher.
Send email notifications for newly discovered High and Critical vulnerabilities.

If you selected License Compliance Policy, configure the License Rule Type:

If you selected Operational Risk Policy, configure the Rule Category:

Minimal Severity
1. High (Highest risk)
2. Medium
3. Low (Least severe)
Custom Condition
- End-of-Life Software – Flags packages that are no longer maintained.
- Deprecated Components – Detects libraries marked as obsolete.
- Unmaintained Open-Source Projects – Flags packages with no updates in over 12 months.
- High-Impact Updates – Identifies major version changes with breaking updates.

Violation will be generated by default for each policy violation

Trigger Webhook after the policy is violated
Create a Jira ticket for each policy violation
Notify the Watch recipient via email
Notify the Developer of the resource via email
Notify email for the configured email address list
Fail builds if vulnerabilities are detected. You can add a grace period before a build fails, giving teams time to address policy violations without immediate disruption.`
Block downloads of artifacts. You can add a grace period before an artifact is blocked from downloading, giving teams time to address policy violations without immediate disruption.
Block Release Bundle Promotion and distribution actions in the Release Lifecycle. You can add a grace period before blocking promotion of Release Bundle, giving teams time to address policy violations without immediate disruption.`

Use Separate Policies for Different Environments – Apply stricter policies in production than in development.
Customize Severity Thresholds – Focus on critical risks first to avoid false positives.
Enable Exposures and Contextual Analysis – Prioritize vulnerabilities that pose real-world threats.
Regularly Review and Update Policies – Keep policies aligned with new security threats and compliance requirements.