Search


Cloud customer?
Upgrade in MyJFrog >


Working with an older version?

JFrog Artifactory 6.x
JFrog Xray 2.x
JFrog Mission Control 3.x
JFrog Distribution 1.x
JFrog Enterprise+ (Pre-Platform Release)




Overview

Xray scanning requires Pro X, Enterprise with Xray, or an Enterprise+ license.

JFrog Xray scans your artifacts, builds and Release Bundles for OSS components being used, and detects security vulnerabilities and licenses in your software components. The results of this scan are then displayed across the JFrog Platform.

Policies and Watches allow you to enforce your organization governance standards:

  1. Set up your Policies and Rules to reflect standard governance behaviour specifications for your organization. Xray supports security and compliance policies types. 
  2. Create Watches to define the scope of the resources on which to run the relevant policies. Watches monitor resources, such as repositories, builds and Release Bundles, and enforces the policies assigned to them on these resources.
  3. Examine Violations created by Xray once a detected vulnerability or license breach meets the criteria of a policy rule. 
  4. Actions that you have set within the policy will run if a violation is detected such as blocking a download, failing a build, or preventing the distribution of a Release Bundle.

Before you begin

Before you begin, ensure JFrog Xray is installed and you have configured indexing in the Administration module. For more information, see Configuring Xray.

Page Contents


How Does Xray Scan Your Artifacts?

  1. Xray is populated with vulnerability data: Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis.
  2. Indexes resources: Performs deep indexing of artifacts, builds and Release Bundles, recursively going through dependencies at any level and creates a graph of relationships between software components. For example, when analyzing a Docker image, if Xray finds that it contains a Java application, it will also analyse all the .jar files used in this application.
  3. Scans resources: Scans packages, builds, artifacts and Release Bundles that have been set to be scanned in the Indexing Resources in the Administration module to match vulnerabilities and licenses for each OSS component in the scanned resource.
  4. Processes assigned Policies based on the predefined Watches: Xray provides an enhanced Policy and Watch mechanism for defining and enforcing governance standards on your binaries, bringing additional security and compliance to your software dependencies. 
  5. Performs ongoing Impact Analysis: When a new vulnerability or license is added to the Xray Database, Xray immediately identifies all of the impacted artifacts, and runs the relevant policies to continuously protect your artifacts, builds and Release bundles.


Xray Functionality in the Application Module

The following table describes Xray capabilities that are supported in the Application module:

Search for Xray Data

Search for resources containing specific vulnerability and license compliance information according to Resource Name, CVE number, license, severity level and narrow it down to a specific date range. For more information, see Searching for Scanned Resources.

Manage Violations on a Watch

View the detected violations for a specific Watch as well as setting ignore rules if needed. For more information, see Examining Violations on a Watch.

Analyze Your Resource Scanned Results

View Xray data on each of the scanned resources allowing you to drill down to expose greater detail and help you analyze the state of your components. For more information, see Analyzing Your Resource Scan Results.

Integrate Xray into Your CI-CD Pipeline
JFrog Xray can be integrated into your organization's CI/CD pipeline to make sure that build jobs containing violations are stopped early in the process. As part of a fully automated process, Xray receives information about a build that has just been run by your CI server, and runs a deep recursive scan on the build down to the deepest level dependency. If any violations are found, Xray returns an indication to the calling CI server and fails the build. For more information, see CI-CD Integration with Xray.
Integrate Xray into Your IDE

JFrog Xray is instrumental in flagging components with vulnerabilities during the development, by displaying vulnerabilities as early as possible in the developer's IDE. For more information, see IDE Integration.


Watch the Screencast

  • No labels
Copyright © 2020 JFrog Ltd.