The trend of DevSecOps is not new but it’s growing fast. More and more organizations wish to integrate their security team in all the phases of development and operation.
Many security products keep your code safe from vulnerabilities at different stages (dev, test, qa and prod). However, JFrog Xray is unique in its capabilities to perform analysis of all the binaries you are consuming in your project.
JFrog Xray works with JFrog Artifactory to perform a deep analysis of binary components at any stage of the application lifecycle. It provides full transparency that leads to (more) trust in your software. By scanning binary components and their metadata, recursively going through dependencies at any level (think on the layers you have in any Docker container), JFrog Xray provides great visibility into issues lurking in components anywhere in your organization.
One of the best parts is that JFrog Xray is also fully automated through a rich REST API that lets it integrate with a CI/CD pipeline and allows other binary analysis tools to build on its unique capabilities.
In this post, we will see how to build such integration and enrich your Xray data with specific information that your company got. Think on a use-case where you have more security (or license) information on binaries and you wish Xray to act on it.
In this case, we will build an integration that lets Xray query your data and get this new information.
First thing you want to clone: github.com/greenido/jfrog-xray-integration-example
In this example, you will see that we are implementing 2 APIs:
- /xray/api – Get the components Ids from Xray and return the ones in which we have more specific information on back to Xray.
- /xray/api/checkauth – To check the authentication with Xray. You will have a ‘Test Url’ option in Xray web-UI.
- /xray/api/test – Testing this server.
Second, open your Xray and from the ‘Admin’ menu click on ‘Integrations’. Then, fill all the details like in the image below:
(!) Don’t forget to click on ‘Enabled‘ – So this integration will work.
Third, after cloning the sample code, check from Xray that you can reach it and pass the authentication. You can do it by clicking on the ‘Test’ button in the Integration window.
Last but not least, is to confirm that we can send components from Xray to our example server. You can do it by clicking on ‘Scan for Violations’.
In the example sever, you will see in the log the full list of components that Xray sent. Next, you can see that our server is returning information for component_id: “docker://gae-alerts-il:v1”
You will see this new violation in Xray after few seconds. In case you don’t see it, check the logs and make sure that your server is returning a JSON object that contains that matching compoent_id.
👌🏾 You just extended Xray capabilities with your unique dataset.
Btw, if you are a Go developer, check this example in GoLang.