Xray Build Integration (07:34)
IDE Plugin for Xray (03:27)
REST API for Xray (05:33)
JFrog Xray: Scanning (2020+)
Course Duration: 30 minutes
In this course, we will review the Xray DevSecOps tool integration points with the CI/CD process, some general integration configuration requirements using JFrog CLI, Xray REST API and the Xray IDE plugins. With this DevSecOps course, you should be able to work with Xray as a foundation for your DevSecOps methodology to improve the overall performance and cybersecurity of your setup, streamline your pipelines and expedite the uncovering of security vulnerabilities and policies compliance issues.
Xray enables DevOps platform owners to share early feedback on security vulnerabilities and OSS license compliances as early as on the developer desktop (IDE) by integrating directly with the IDE.. TheIDE plugin currently supports IntelliJ, Visual Code and Azure DevOps will help you more easily customize your development environment for custom applications that fit your specific requirements. Included in this course is also an overview of the many Xray REST API endpoints that can be used in your custom applications, pipelines, and tools. These integration endpoints enable integrating the Xray scanning at any stage of the software delivery process, reducing the chance of identifying risks late in the process, where the cost dramatically increases.
In this course we will cover
- Xray Build Integration with third-party resources and other data sources
- IDE Plugin for Xray enabling “shift-left”
- REST API for Xray explanation and guidance for developers
Who should take this DevSecOps course
Application Security Engineers, DevSecOps, DevOps engineers and Artifactory administrators who have experience integrating Artifactory into their pipeline but additional guidance on the JFrog Xray scanning functionality. Any developer who wants DevSecOps training along with guidance on the way JFrog Xray improves the cybersecurity of applications will benefit from this course.
In order to complete the course, you must answer at least 70% of the quiz questions correctly.
Now that you've seen an overview of the process let's talk about three ci cd integration options x-ray supports ci cd integration as a version 1.6 in version 2.2 and later you can create a mix of security and license policies with rules that apply to select repositories or builds defined in the scope of a watch these rules define criteria that trigger actions that could be as minor as setting an alert in the system or failing a build when a critical issue is found x-ray build integration is supported with jenkins using the artifactory plug-in version 2.9.0 and above with this plug-in jenkins triggers scans by creating a scan config instance and passing it to the x-ray scan method integration is also available for team city to scan artifacts for vulnerabilities with teamcity you can use the artifactory plugin and enable x-ray on the options for build and fail build every time you run a build the team city integration enables build scans and will also fail it according to your specifications other ci servers can be integrated using the jfrog cli and additional ci server plugins x-ray support adds to these plugins as new releases are updated for details specific to your setup refer to the online user guide and other resources you can access from the jfrog website let's look at how you can use jfrog cli for x-ray integrations jfrog cli is a command line interface for operating artifactory and other jfrog products it can be used to invoke rest apis and execute functions against those apis a list of commands is provided for each of the jfrog products x-ray only has one command and that's for running offline updates but in the list of commands for artifactory the build scan or bs command prompts x-ray to scan a build while individual artifacts are scanned continuously this command is for scanning all the components of a published build you can add this command to your automation scripts wherever you initiate a build publish the one cli command for initiating an x-ray scan on builds might not seem like much but running the build scan as part of larger automated operations can expose any vulnerabilities early in the process combined with the functionality of x-ray's rest apis such as those involving watch details and policies your automation scripts can act on certain data or triggers alerting you or halting operations when a serious threat is found acting on vulnerabilities and license issues found at vital phases of build publications can prevent lost time later let's have a look at a configuration with jenkins in this case i've got a three-phase build step number one step number two and step number three let's have a look at the pipeline groovy script down here in this job we download a dependency from artifactory directly that was created in a prior build phase it's a war file that came in the war file is then applied to the docker container that was created in a previous build phase as well as part of our cicd pipeline we kick off a unit test to validate that the docker container does what we expect the next step of our ci cd pipeline is to trigger an x-ray scan for this scan i can fail the build if the x-ray scan comes back and shows that there is a vulnerability in my build next in the ci cd pipeline is to promote my docker container this promotion will only occur if my unit test was successful and my x-ray scan was successful let's go to artifactory to see what this looks like...