The way that Xray rules operate is based on what comes first.
Setting up the rules based on severity will be the best approach.
The extra features that we configure, such as "Create Jira ticket," "Block download”, “Fail build”, etc., should also be set up within the first rule of the policy and by the severity.
For instance, if I set up the second rule to prevent downloads for any violations with a High or Higher severity and the first rule to only produce violations for all severity levels from Low to Critical, Xray won't prevent the download.
This use case is shown below:


In the most ideal case, the policy would be set up as follows:

We would see that Xray is now blocking the download:

For making Jira tickets, the same guidelines apply.
If we want to create a Jira ticket, the first rule in a policy should be the one that has the "Create Jira Ticket" option enabled:

As a result, the policy's order will be as follows:

In this case, the "Create Jira Ticket" option is selected for "Rule1".
Please remember that the first rule's severity should not be determined by severity but rather by the requirements set forth by your organization for creating tickets in Jira.
Setting up the rules based on severity will be the best approach.
The extra features that we configure, such as "Create Jira ticket," "Block download”, “Fail build”, etc., should also be set up within the first rule of the policy and by the severity.
For instance, if I set up the second rule to prevent downloads for any violations with a High or Higher severity and the first rule to only produce violations for all severity levels from Low to Critical, Xray won't prevent the download.
This use case is shown below:
In the most ideal case, the policy would be set up as follows:
We would see that Xray is now blocking the download:
For making Jira tickets, the same guidelines apply.
If we want to create a Jira ticket, the first rule in a policy should be the one that has the "Create Jira Ticket" option enabled:
As a result, the policy's order will be as follows:
In this case, the "Create Jira Ticket" option is selected for "Rule1".
Please remember that the first rule's severity should not be determined by severity but rather by the requirements set forth by your organization for creating tickets in Jira.