There are three players in this process:
The following workflow shows how Xray scans your builds.
Xray scans the build according to a defined Watch with a Fail Build Job action.
You may define multiple Watches with a Fail Build Job Action, each with its own criteria (i.e. Artifact Filters and/or Issue Filters) that should trigger an alert. All of these Watches are applied each time a build is scanned. If Xray receives a scanBuild request, and there are no Watches defined with a Fail Build Job Action, Xray will always respond with an indication to fail the build job, even if no vulnerabilities are found in the build artifacts or their dependencies. |
Xray responds to the scanBuild request indicating that the build job should fail.
The response includes the details of all Alerts generated by all Watches that include a Fail Build Job Action. |
Xray CI/CD integration is supported for Jenkins, Azure DevOps, Bamboo and JFrog CLI.
To configure a build job to request a scan, with the Jenkins Artifactory Plug-in (v2.9.0 and above), you need to create a scanConfig
instance and and pass it to the xrayScan
method in the Jenkins Pipeline.
To scan build artifacts for vulnerabilities in Azure DevOps, you need to add the Artifactory Xray Scan task after the Artifactory Publish BuildInfo task.
To scan build artifacts for vulnerabilities, with the Bamboo Artifactory Plug-in, you need to add the Artifactory Xray Scan task to your plan. The task should follow a previous task which publishes the build-info to Artifactory.
To scan build artifacts and dependencies for vulnerabilities with the TeamCity Artifactory Plug-in, you need to enable the Xray scan on build and Fail build options, configured per build.
To scan build artifacts for vulnerabilities using JFrog CLI, you need to use the jfrog rt scan-build command.
While Artifactory does not play an active part in this integration, and there is no explicit configuration needed, Artifactory does play a passive role in passing information between your CI server and JFrog Xray.
This feature is supported in Artifactory from v4.16 and above.
Xray's build integration allows you to manage your build jobs and configure them with appropriate actions if build artifacts or dependencies with vulnerabilities are found in your builds. While the default action (in Jenkins) is to simply stop the build, you can actually configure your pipeline to do other things like send email notifications or even run a different build job.
Watch this screencast to learn how to get the best of two worlds - developer productivity and safety, by scanning the results of every build for security vulnerabilities, license compliance issues and more with JFrog Xray.
<iframe width="560" height="315" src="https://www.youtube.com/embed/4JMOgImrQ_I" frameborder="0" allowfullscreen></iframe> |