How Does Xray Scan Your Artifacts?

JFrog Security Documentation

JFrog Xray
Content Type
User Guide
  1. Xray is populated with vulnerability data: Xray initially populates data about vulnerabilities and licenses from the Xray global database server managed by JFrog. After the initial database synchronisation, Xray is then continuously synchronized with the central database for new updates on a daily basis. To learn more about Xray security and severity levels, see Determining the Issue Severity Level for Operating Systems Packages

  2. Indexes resources: Performs deep indexing of artifacts, builds and Release Bundles, recursively going through dependencies at any level and creates a graph of relationships between software components. For example, when analyzing a Docker image, if Xray finds that it contains a Java application, it will also analyse all the .jar files used in this application.

  3. Scans resources: Scans packages, builds, artifacts and Release Bundles that have been set to be scanned in the Indexing Resources in the Administration module to match vulnerabilities and licenses for each OSS component in the scanned resource.

  4. Processes assigned Policies based on the predefined Watches: Xray provides an enhanced Policy and Watch mechanism for defining and enforcing governance standards on your binaries, bringing additional security and compliance to your software dependencies.

  5. Performs ongoing Impact Analysis: When a new vulnerability or license is added to the Xray Database, Xray immediately identifies all of the impacted artifacts, and runs the relevant policies to continuously protect your artifacts, builds and Release bundles.