JFrog Xray works with JFrog Artifactory to perform universal analysis of binary software components at any stage of the application lifecycle providing radical transparency that leads to trust in your software. By scanning binary components and their metadata, recursively going through dependencies at any level, JFrog Xray provides unprecedented visibility into issues lurking in components anywhere in your organization. Xray’s interface with Artifactory gives it the exclusive advantage of combining any number of data feeds with the exhaustive metadata stored within Artifactory to detect different issues without needing access to source code. JFrog Xray is also fully automated through a rich REST API that lets it integrate with a CI/CD pipeline and allows other binary analysis tools to build on its unique capabilities.
Open for integration While Xray comes with its own database of software components and vulnerabilities out-of-the-box, it is also open to integration with other databases and tools. Xray comes built-in with integration to tools such as Whitesource, Aqua and Blackduck hub. In addition, using Xray's open API, customers can integrate Xray with their own systems and data feeds.
Open for different issue types Xray is not limited to security vulnerabilities; it can receive any type of information about software component that can help you make decisions. For example, you can provide Xray with information about components that have performance issues or severe defects and the impact that these components have on your software.
Deep scanning Xray performs a deep scan of artifacts, recursively going through dependencies at any level and creating a graph of relationships between software components. For example, when analyzing a Docker image, if Xray finds that it contains a Java application it will also analyze all the .jar files used in this application.
Impact analysis Xray analyzes how an issue in one component affects all others in your company and displays the chain of impact in a component graph.
Native integration with Artifactory Xray is the only tool that is natively integrated with JFrog Artifactory.
JFrog Xray is the only product that takes a dual approach to protecting you against issues using a unique combination of:
Deep Recursive Scanning
JFrog Xray recursively scans components in your system, recursively drilling down to analyze even the smallest binary component that affects your software.
Continuous Impact Analysis
JFrog Xray continuously scans and analyzes existing components, even those long since deployed to production, and provides alerts and notifications for just-discovered vulnerabilities.
Custom API-Driven Automation
Through an open REST API, JFrog Xray lets you define a custom regimen of automated analysis for all components in your system.
How JFrog Xray Analyzes your Artifacts
Xray performs two types of analysis:
Xray monitors builds or repositories in Artifactory for policy violations. Each time a monitored build is updated, or an artifact is deployed to a monitored repository, Xray will scan it and its dependencies and trigger a violation if any policy is violated by them.
Xray listens to all providers currently streaming feeds regarding issues. If any provider notifies Xray of a new issue with an artifact, Xray looks up the artifact in its database. If the artifact is already in the database, Xray will perform an impact analysis to determine all the artifacts in Artifactory that are ultimately affected by the issue by virtue of their including the problematic artifact. The results are displayed in an impact analysis graph.
The Xray-Artifactory Edge
As a complementary product to JFrog Artifactory, JFrog Xray has access to the wealth of metadata Artifactory stores which, combined with deep recursive scanning, puts Xray in a unique position to analyze the relationships between binary artifacts and provide radical transparency into your component architecture to reveal the impact that a vulnerability in one component has on any other.
The Xray User Guide is available for download in PDF format. Click this link to download the latest version:
Note that the online version may be more up-to-date.