There are three players in this process:
- Your CI Server (currently, Jenkins CI, TeamCity, and Bamboo are supported)
The CI server runs a build job and sends a request to Xray, through Artifactory, for the build to be scanned. If the scan detects a vulnerability, the CI server can take appropriate action as configured in the build job.
- JFrog Artifactory
JFrog Artifactory serves as a mediator between the CI server and Xray. It does nothing more than pass information between one and the other.
- JFrog Xray
Upon request, if Xray has defined watches with Actions to fail a build job, it will scan the build, and respond with a message that the build job should fail if a vulnerability is detected in the build artifact or one of its dependencies.
The diagram below illustrates how the process is implemented using Jenkins CI.
- Jenkins runs a build job.
- Assuming the build is successful, Jenkins uploads the build to Artifactory. New build artifacts and dependencies are automatically indexed by Xray.
- Jenkins passes a request to Artifactory to scan the build.
- Artifactory passes a request to scan the build through Xray's scanBuild REST API endpoint.
Xray scans the build according to a defined Watch with a Fail Build Job Action.
Multiple watches or no watches?
You may define multiple Watches with a Fail Build Job Action, each with its own criteria (i.e. Artifact Filters and/or Issue Filters) that should trigger an alert. All of these Watches are applied each time a build is scanned.
If Xray receives a scanBuild request, and there are no Watches defined with a Fail Build Job Action, Xray will always respond with an indication to fail the build job, even if no vulnerabilities are found in the build artifacts or their dependencies.
- If any build artifact or dependency meets the conditions (filters) defined in the Watch, Xray triggers an alert and...
Xray responds to the scanBuild request indicating that the build job should fail.
All Alerts in one response
The response includes the details of all Alerts generated by all Watches that include a Fail Build Job Action.
- Artifactory passes on the response back to Jenkins.
- Jenkins fails the build job.
Xray's build integration allows you to manage your build jobs and configure them with appropriate actions if build artifacts or dependencies with vulnerabilities are found in your builds. While the default action (in Jenkins) is to simply stop the build, you can actually configure your pipeline to do other things like send email notifications or even run a different build job.
Xray supports CI/CD integration from version 1.6
For Xray to scan builds upon request by a CI server, you need to configure a Watch with the right filters that specify which artifacts and vulnerabilities should trigger an alert, and set a Fail Build Job Action for that Watch.
Configuring your CI Server
Xray CI/CD integration is supported for Jenkins CI, TeamCity, and Bamboo.
To configure a build job to request a scan, with the Jenkins Artifactory Plugin (v2.9.0 and above), you need to create a
scanConfig instance and and pass it to the
xrayScan method in the Jenkins Pipeline.
To scan build artifacts for vulnerabilities, with the Bamboo Artifactory Plugin, you need to add the Artifactory Xray Scan task to your plan. The task should follow a previous task which publishes the build-info to Artifactory.
Azure DevOps and TFS
While Artifactory does not play an active part in this integration, and there is no explicit configuration needed, Artifactory does play a passive role in passing information between your CI server and JFrog Xray.
This feature is supported in Artifactory from v4.16 and above.
Watch the Screencast
Watch this screencast to learn how to get the best of two worlds - developer productivity and safety, by scanning the results of every build for security vulnerabilities, license compliance issues and more with JFrog Xray.