Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Xray Workshop

Part 1: Xray and DevSecOps Overview

This part of the workshop introduces JFrog Xray and explains how it supports a DevSecOps approach to securing the software supply chain.

Before configuring or enforcing policies, it is important to understand where Xray fits in the software development lifecycle and how it helps teams identify and manage risk early and continuously.

What JFrog Xray does

JFrog Xray analyzes software components used throughout the development lifecycle to identify:

  • Security vulnerabilities
  • License compliance risks
  • Operational and supply chain risks

Xray continuously scans artifacts, builds, and dependencies stored in Artifactory and integrates with CI/CD pipelines to provide visibility and enforcement at multiple stages.

What DevSecOps means in practice

DevSecOps is the practice of integrating security into every stage of software delivery rather than treating it as a final gate.

In a DevSecOps model:

  • Security issues are identified as early as possible
  • Developers receive actionable feedback during development
  • Security teams define policies rather than manually reviewing every change
  • Risk is managed continuously, not only at release time

Xray supports this model by providing automated analysis and policy-based controls across the SDLC.

Where Xray fits in the software lifecycle

Xray can be applied at multiple points in the software lifecycle, including:

  • During dependency resolution
  • During CI builds
  • During artifact promotion and release
  • During artifact download
  • After deployment, through continuous monitoring

This allows organizations to detect and respond to risk both early and late in the lifecycle.

Shared responsibility across teams

Effective use of Xray relies on collaboration between teams.

Typical responsibilities include:

  • Security teams defining policies and risk thresholds
  • Platform teams integrating Xray into CI/CD and repositories
  • Development teams responding to findings and remediation guidance

Xray enables this shared responsibility model by centralizing analysis while distributing enforcement and feedback.

Why a phased rollout is recommended

Because Xray can block builds and downloads, enforcement should be introduced gradually.

A phased rollout allows you to:

  • Start with visibility before enforcement
  • Establish baselines for risk and violations
  • Avoid unexpected disruption
  • Build trust across teams

This workshop follows a phased approach that reflects how Xray is commonly adopted in production environments.

When to move on

Once you understand how Xray fits into the DevSecOps workflow, you are ready to begin planning your rollout.

Proceed to Part 2: Plan Your Xray Rollout

Updated 3 months ago