Still using Xray 1.x ?
JFrog Xray 1.x User Guide
Need help with other JFrog products ?
Have a question? Want to report an issue? Contact JFrog support
To create a new policy, click New Policy and complete the fields.
|A logical name for this Policy.|
The policy rule types to create.
Security: Lets you create a set of rules around security vulnerabilities. Choose how you want Xray to respond to each vulnerability severity.
License: Lets you create a set of rules around allowed/banned sets of licenses.
|A general description of the Policy.|
|The rules search filter.|
|The Rules priority. Drag and drop the rules to place them according to their priority.|
|The Rule(s) attached to this Policy.|
|The Rule criteria. If the criteria is met, then the automatic actions of this rule are executed and the policy is considered as processed (no further rules will be checked).|
|The actions to take if a criteria is met.|
Editing a Policy
Edit an existing Policy, from the Policy table, by hovering over it and clicking on the Edit icon on the right.
Edits made to a policy will automatically be applied to all watches the policy is assigned to. This will take affect only for newly scanned artifacts. You can manually apply the watch on existing artifacts.
A Security Rule allows you to create a set of rules around security vulnerabilities. There are two possible criteria:
To create a new Security Rule, select "Security" from the Type drop down and click New Rule.
|A logical name for this Rule.|
The set of security conditions to examine when an scanned artifact is scanned.
Specifies the actions to take once a security policy violation has been triggered.
A licence Rule allows you to create a set of rules around license compliance. There are three possible criteria:
To create a new License Rule, select "License" from the Type drop down and click New Rule.
|A logical name for this Rule.|
The set of license conditions to examine when an scanned artifact is scanned.
|Specifies the actions to take once a license policy violation has been triggered.|
An action determines the automatic response to a detected Policy violation. You can define one or more action within each Policy Rule. Actions include the following:
Block Download: This action lets you specify that artifacts should be blocked for download from Artifactory.
|When set, Artifactory will block download of artifacts that meet the Artifact Filter and Severity Filter specifications for this watch.|
|When set, Artifactory will block download of artifacts that meet the Artifact Filter specifications for this watch, but have not been scanned yet|
Fail Build: This action lets you specify that if a CI server requests a build to be scanned, and the Watch triggers a violation, Xray will respond with an indication that the build job should fail.
This action is only available if the Watch is defined with an All Builds target type.
No Fail Build Job Actions defined?
If a request to scan a build is received by Xray, but there are no Watches with a Fail Build action defined, Xray will always respond with an indication that the build job should indeed fail, whether build artifacts or dependencies are found to have vulnerabilities or not.
The payload provided to any triggered webhook is a JSON object describing a list of Alerts with the following format:
The following shows an example payload for a webhook