Cloud customer?
 Upgrade in MyJFrog >

Search





Overview

Introducing a security and compliance scanning tool into your organization can be challenging. These best practices, learned from customers, will provide you with the tools for successfully deploying JFrog Xray into your organization.

Page Contents


Xray Quick Scan Guide

This guide will take you through configuring your JFrog Platform instance to start displaying security and license information about the artifacts in your JFrog Artifactory as fast as possible.

Before you start

Install and connect JFrog Xray to your Platform instance.

This guide is also available in PDF version.

1. Select a repository to scan for vulnerabilities and licenses

Start by selecting one repository.

Navigate to the Administration Module. Click on the Xray Security & Compliance menu and the Indexed Resources menu item.

Add one repository you’d like to index to your indexed resources by clicking Add a Repository.

2. Index your repository

Click on “Index Now” to index the existing artifacts in this repository.

If this is not done, only newly added artifacts will be indexed.

3. View a scanned artifact

Use the advanced search bar, at the top of your screen, to find the recently scanned artifacts.

Navigate to the Application module.

Select Security & Compliance from the search dropdown menu.

Click on the advanced search icon.

Set the “By Scan Date” to today’s date. Click on the Artifacts tab. This will display the artifacts as they are being indexed. Click the “Show in Tree” Xray icon to see the Xray data for a specific artifact.

4. View vulnerabilities and licenses issues

Go to the Xray tab to see the vulnerabilities and licenses issues associated with this artifact.

You’ll be able to see the identified open source components in the Descendents tab, vulnerabilities in the Security tab and attached licenses in the Licenses tab.

What's next

Add more repositories to index. It is recommended to add a group at a time, and wait for them to get indexed before moving to the next group.


Onboarding Xray Best Practices

This video focuses on two keys to success, 1. involving R&D and 2. starting small and working in cycles.

1. Involve R&D

This means shifting left, making security and compliance part of the developer workflow. Here’s how you can achieve this within the JFrog Platform.

Repository Structure

Creating Artifactory repositories per team and phase in the SDLC (or folders inside repositories), enables each team to handle their specific security and compliance violations. Alongside using the standard central remote repositories such as DockerHub and GoCenter.

Watch Structure

Managing violations per team and phase in the SDLC, by creating a watch per such, enables isolated responsibility of security governance.

Watch groups together a set of resources, such as repositories, folders and builds. Policies allow us to define security and license compliance behaviors specific to your organization. Once they are defined, they are enforced by applying them to Watches.

The following example shows a watch that includes all of the resources for Team-1-Dev.

2. Start Small & Work in Cycles

Starting the onboarding process with one team will enable you to learn what works and apply the new processes to additional teams in your organization.

Your First Policy

Define a policy that creates violations only for “High” issues, without any actions such as failing builds, preventing downloads and sending notifications.

This will allow you to sort through each of the violations, and choose either to fix or whitelist using an ignore rule. Once all high-severity issues are cleaned up, actions can be introduced to notify in case of new detected high severity violations.

This process should be repeated for the medium-severity and low-severity issues.

This is an example policy rule without any actions.

This is an example violations report for Team-1-Dev, showing all the identified high severity violations.

This is an example of a vulnerable Debian package being used, which can be replaced and fixed.

This is an example of creating an ignore rule that will whitelist a violation.

This is an example of a policy rule with automatic actions of blocking downloads, blocking release bundles and failing builds.

What's Next

Continue to the next team and start the process all over. Once you have two to three initial teams, start the process with the rest of the R&D team, with the help of these initial teams.


  • No labels
Copyright © 2020 JFrog Ltd.