This use case demonstrates how to configure Xray to enforce security policies that block malicious packages before they are used in development, CI/CD, or production.
Step 1: Define a Security Policy in Xray
Goal: Create a security policy to block malicious or vulnerable artifacts.
- Navigate to Application > Xray > Watches & Policies.
- Click New Policy, enter a name, and select Security as the type.
- Configure the rule:
- Enter a rule name.
- Select Malicious Packages as the rule type.
- Set the following actions based on the stage you want to block/fail.
- Block download
- Fail Build
- Block release bundle promotion
- Block release bundle distribution
- Apply on Scope. Attach the Policy to a Watch this will apply the security policy to relevant resources.
- Save the policy.
Step 3: Verify that the Security Policy Blocks a Malicious Package
Scenario 1: Manual Download (Blocked)
A developer tries to download a malicious package
Expected Result:
The package is blocked from download.
Scenario 2: CI/CD Pipeline Fails Due to a Malicious Package
A pipeline attempts to use a malicious package dependency in Jenkins
Expected Result:
The pipeline failed due to a malicious package.
Scenario 3: Release Bundle Promotion/Distribution Blocked Due to Malicious Packages
A user tries to distribute or promote a Release Bundle that contains a malicious package.
Expected Result:
The action is blocked due to a malicious package.
Step 4: Monitor & Respond to Security Violations
Goal: Track blocked packages and take appropriate action.
- Navigate to Xray > Scans List and select a specific resource.
- Review the violations:
- Vulnerability Details (e.g., CVE-2023-XXXXX).
- Suggested Fixes (e.g., upgrade
log4j:2.14.1→log4j:2.17.1).
- Take action:
- Upgrade the affected package to a secure version.
- Create an Ignore Rule on the violation if deemed a false positive.