How should I configure Rules in my Policy?

XRAY: Best practices to configure rules in a Policy

Idan Isayevich
The way that Xray rules operate is based on what comes first.
Setting up the rules based on severity will be the best approach.
The extra features that we configure, such as "Create Jira ticket," "Block download”, “Fail build”, etc., should also be set up within the first rule of the policy and by the severity.
For instance, if I set up the second rule to prevent downloads for any violations with a High or Higher severity and the first rule to only produce violations for all severity levels from Low to Critical, Xray won't prevent the download.

This use case is shown below:
User-added image
User-added image

In the most ideal case, the policy would be set up as follows:
User-added image
We would see that Xray is now blocking the download:

User-added image

For making Jira tickets, the same guidelines apply.
If we want to create a Jira ticket, the first rule in a policy should be the one that has the "Create Jira Ticket" option enabled:

User-added image
As a result, the policy's order will be as follows:
User-added image
In this case, the "Create Jira Ticket" option is selected for "Rule1".
Please remember that the first rule's severity should not be determined by severity but rather by the requirements set forth by your organization for creating tickets in Jira.