JFrog Xray identifies security vulnerabilities and license violations as early as the dependency declaration stage and blocks builds with security issues from development. This plugin integrates CloudBees CD/RO with JFrog Xray via the JFrog CLI.
Plugin version 1.0.0
Revised on November 29, 2022
Overview
JFrog Xray identifies security vulnerabilities and license violations as early as the dependency declaration stage and helps block builds with security issues from development. This plugin integrates CloudBees CD/RO with JFrog Xray via the JFrog CLI.
Plugin configurations
Plugin configurations are sets of parameters that can be applied across some, or all, of the plugin procedures. They can reduce the repetition of common values, create predefined parameter sets, and securely store credentials. Each configuration is given a unique name that is entered in the designated parameter for the plugin procedures that use them.
Creating plugin configurations
To create plugin configurations in CloudBees CD/RO, complete the following steps:
-
Navigate to
. -
Select Add plugin configuration to create a new configuration.
-
In the New Configuration window, specify a Name for the configuration.
-
Select the Project that the configuration belongs to.
-
Optionally, add a Description for the configuration.
-
Select the appropriate Plugin for the configuration.
-
Configure the parameters per the descriptions below.
Configuration procedure parameters
Parameter | Description |
---|---|
Configuration Name |
Required. The name for the created configuration. |
Description |
The description for the configuration. |
Endpoint |
JFrog Platform endpoint URL. For example, |
Xray URL path |
JFrog Xray API URL path. Usually it is |
JFrog CLI executable path |
An absolute or relative path to JFrog CLI executable. |
Auth type |
The type of authorization to use. |
Basic Auth |
Authenticating with Username and Password. |
Access Token |
Authenticating with an Access Token. |
Server ID |
Server ID configured using the
|
Check configuration resource |
A resource that is used for the checking configuration. JFrog CLI must be installed on the resource. |
Check Connection? |
If selected, the connection endpoint and credentials entered as part of the configuration are tested and the configuration is not saved if the test fails. |
Debug level |
This option sets the debug level for logs. If Info is selected, only a summary is displayed. If Debug is selected, any debug information is displayed. If Trace is selected, all requests and responses are displayed. |
Plugin procedures
Dependencies Scan
Provides the capability to scan your sources dependencies using the JFrog CLI for vulnerabilities.
Dependencies Scan parameters
Parameter | Description |
---|---|
Configuration Name |
The previously defined configuration for the plugin. |
Working directory |
The target directory containing the source files. |
Project type |
Choose the target project type. |
Use Gradle wrapper? |
Enable if you would like to use the Gradle wrapper. |
JFrog project |
The JFrog project key, to enable Xray to determine security violations accordingly. |
Repo path |
Artifactory repository path in the form of |
Watches |
A comma-separated list of Xray watches, to enable Xray to determine violations accordingly. |
Additional options |
Specify additional options to be provided to the |
Success criteria |
A desired status of the scan. The procedure fails if the criteria is not reached. If ANY is selected, the procedure completes successfully, regardless of whether issues were found or not. |
On-Demand Binary Scan
The on-demand binary scanning enables you to point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary, prior to uploading the binary or build to Artifactory.
On-Demand Binary Scan parameters
Parameter | Description |
---|---|
Configuration name |
Required. The unique name for the configuration. |
Path |
Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards. Examples:
|
Path |
Specifies the local file system path to artifacts to be scanned. You can specify multiple files by using wildcards. For example:
|
Recursive |
Uncheck if you do not wish to collect artifacts in sub-folders to be scanned by Xray. |
JFrog project |
The JFrog project key, to enable Xray to determine security violations accordingly. This parameter is used if the Repo path and Watches parameters are not provided. If none of the three parameters are provided, the scan shows all known vulnerabilities. |
Repo path |
The JFrog Artifactory repository path in the form of |
Watches |
A comma-separated list of Xray watches, to enable Xray to determine violations accordingly. The procedure accepts this parameter only if the JFrog project and Repo path parameters are not provided. If none of the three parameters are provided, the command shows all known vulnerabilities. |
Success criteria |
A desired status of the scan. The procedure fails if the criteria is not reached. If ANY is selected, the procedure completes successfully, regardless of whether issues were found or not. |
Table output |
Enables the table output format. |
Extended table output |
Add extended fields such as CVSS and Xray Issue Id to the table output. |
On-Demand Docker Image Scan
Scans Docker containers located on the local file-system using the Docker client. The containers do not need to be deployed to Artifactory or any other container registry before they can be scanned.
On-Demand Docker Image Scan parameters
Parameter | Description |
---|---|
Configuration name |
Required. The unique name for the configuration. |
Docker Image |
Specifies the local Docker image with tag to be scanned. For example, |
JFrog project |
The JFrog project key, to enable Xray to determine security violations accordingly. This parameter is used if the Repo path and Watches parameters are not provided. If none of the three parameters are provided, the scan shows all known vulnerabilities. |
Repo path |
The JFrog Artifactory repository path in the form of |
Watches |
A comma-separated list of Xray watches, to enable Xray to determine violations accordingly. The procedure accepts this parameter only if the JFrog project and Repo path parameters are not provided. If none of the three parameters are provided, the command shows all known vulnerabilities. |
Success criteria |
A desired status of the scan. The procedure fails if the criteria is not reached. If ANY is selected, the procedure completes successfully, regardless of whether issues were found or not. |
Timeout |
Time (in seconds) to wait for the scan to complete. |
Use cases
Performing on-demand binary scans
Within pipelines, you can use the Xray plugin to perform on-demand binary scans on project binary artifacts.
You must have a plugin configuration to add for the pipeline on-demand binary scan task. |
To perform an on-demand binary scan:
-
After checking out a binary in a project pipeline step, select Add.
-
Give the New Task a name and select Select Task Type.
-
From the Plugins list, select Xray and On-Demand Binary Scan.
-
Select Define and then Input parameters.
-
Fill in the required parameters:
-
In the Configuration Name field, add the Xray plugin configuration.
-
In the Path field, add the path to the binary you want scanned.
-
-
Fill in the other fields as needed for your project. For more information, you can select the ? icon to display additional dialogs.
The Success criteria field can be set for both positive and negative reporting. -
Select OK to save the task configuration.
-
Select Assign a Resource or Resource Pool and add the resource you configured for the plugin configuration, and select OK.
-
Select OK to save the task.
You can now run the pipeline, and this Scan
task returns the findings of the vulnurabilites scan.
Using JFrog Xray watches in pipelines
Within pipelines, you can use JFrog Platform Xray Watches configured with basic or custom policies as scanning criteria for your artifacts.
To perform the following steps, you must have a Watch configured in JFrog. For more information on how to configure watches, refer to JFrog’s Configuring watches and policies documentation. |
To implement your JFrog Watches within the plugin:
-
After checking out a binary in a project pipeline step, select Add.
-
Give the New Task a name and select Select Task Type.
-
From the Plugins list, select Xray and the type of scan you want to perform.
-
Select Define and then Input parameters.
-
Fill in the required parameters:
-
In the Configuration Name field, add the Xray plugin configuration.
-
In the Path field, add the path to the binary you want scanned.
-
-
To configure your JFrog Xray Watch to be used as the scanning parameter, enter the name of a watch you have configured in JFrog in the Watches field.
-
Fill in the other fields as needed for your project. For more information, you can select the ? icon to display additional dialogs.
The Success criteria field can be set for both positive and negative reporting. -
Select OK to save the task configuration.
-
Select Assign a Resource or Resource Pool and add the resource you configured for the plugin configuration, and select OK.
-
Select OK to save the task.
You can now run the pipeline and this Scan
task uses your JFrog Watch as the scanning criteria.