This use case outlines how to configure JFrog Xray to block artifact promotion based on vulnerability severity, ensuring that only secure components are promoted.
Step 1: Define a Security Policy to Block Promotion
Goal: Create a security policy to prevent artifact promotion if vulnerabilities exist.
- Navigate to Application > Xray > Watches & Policies.
- Click New Policy, enter a name, and select Security as the type.
- Configure the rule:
- Enter a rule name.
- Select CVEs as the rule type.
- Select Minimal Severity as the rule category and select High Severity. This will apply only to high and critical vulnerabilities.
- Set the action as Block release bundle promotion.
- Apply on Scope. Attach the Policy to a Watch that contains the Release Bundle.
- Save the policy.
Step 3: Attempt to Promote a Release Bundle (Blocked Scenario)
Goal: Verify that Xray blocks the promotion of a Release Bundle with high and critical vulnerability severity.
Scenario: Manual Promotion (Blocked)
A DevOps engineer attempts to promote an artifact from staging-repo to prod-repo
Expected Result:
The promotion is blocked due to the security violation.
Step 4: Review & Resolve Security Violations
Goal: Investigate and fix issues before retrying promotion.
- Navigate to Xray > Scans List and select a specific Release Bundle.
- Go to the violations tab filter based on the violation actions and mark the Block Promotion checkbox.
- Review the block violations:
- Vulnerability Details (e.g., CVE-2023-XXXXX).
- Suggested Fixes (e.g., upgrade
log4j:2.14.1→log4j:2.17.1).
- Take action:
- Upgrade the affected package to a secure version.
- Create an Ignore Rule on the violation if deemed a false positive.