<<<<<<< caas-migration JFrog Advanced Security Overview

JFrog Advance Security Overview

main ===================================

• Scanning of artifacts
• Xray policies and watches

JFrog Xray is a universal software composition analysis (SCA) solution that natively integrates with Artifactory, giving developers and DevSecOps teams an easy way to proactively identify vulnerabilities on open source and license compliance violations, before they manifest in production releases.

Advanced Scans are configured per repository, which must be indexed by Xray first. Advanced Scans are applied on newly scanned artifacts only, and not on existing indexed artifacts. You can also run contextual analysis and exposures scans on an existing artifact

Scanning of artifacts

1. Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis.

2. Performs deep indexing of artifacts, builds and Release Bundles, recursively going through dependencies at any level and creates a graph of relationships between software components.

3. Scans packages, builds, artifacts and Release Bundles in the Indexing Resources in the Administration module to match vulnerabilities.

4. Xray provides an enhanced Policy and Watch mechanism for defining and enforcing governance standards on your binaries.

5. When a new vulnerability or license is added to the Xray Database, Xray immediately identifies all of the impacted artifacts, and runs the relevant policies to continuously protect your artifacts, builds and Release bundles.

Xray policies and watches

1. Xray Policies Policies define security and license compliance behavior specifications. Policies enable you to create a set of rules, in which each rule defines a license/security criteria, with a corresponding set of automatic actions according to your needs. Policies are enforced when applying them to Watches. A policy is contextless, which means that it only defines what to enforce and not what to enforce it on.

2. Xray watches Xray Watches are the focal point for viewing and managing your security and license violations in the JFrog Platform. Watches provide you with the flexibility you need to meet your specific security and violation requirements. You select the resources you would like to scan for security vulnerabilities and compliance and determine the actions to be taken once a security vulnerability is detected