Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Xray Workshop

Part 2: Plan Your Xray Rollout

This part of the workshop focuses on planning a structured rollout of JFrog Xray before configuration or enforcement begins.

A clear rollout plan helps ensure that Xray adoption aligns with organizational goals, minimizes disruption, and sets clear expectations for all stakeholders.

Xray adoption works best when introduced incrementally. Start with a small scope, involve a team champion, define clear security criteria, and evaluate impact in notification mode before enforcing policies. This cycle can be repeated as Xray expands to additional teams and projects.


Why planning matters

Introducing Xray without a plan can lead to:

  • Unexpected build failures
  • Confusion around policy ownership
  • Resistance from development teams
  • Difficulty measuring success

Planning first allows you to define what success looks like and how Xray will be introduced in a controlled way.

Define your security objectives

Before configuring Xray, identify the primary goals you want to achieve.

Common objectives include:

  • Reducing exposure to high-severity vulnerabilities
  • Improving open-source license compliance
  • Gaining visibility into dependency risk
  • Enforcing security policies earlier in the SDLC

Clear objectives help guide policy design and enforcement decisions later in the workshop.

Identify stakeholders and ownership

Successful Xray rollouts involve multiple teams.

Typical roles include:

  • Security teams defining policies and risk thresholds
  • Platform or DevOps teams integrating Xray into CI/CD and repositories
  • Development teams addressing findings and remediation

Defining ownership early helps avoid ambiguity once enforcement begins.

Define rollout scope

Decide where Xray will be introduced first.

To reduce risk, start with:

  • A limited set of repositories or projects
  • Non-production or lower-impact applications
  • A small number of pipelines or teams

Scope can be expanded gradually as confidence increases.

Define success metrics

Measuring progress helps validate the effectiveness of your rollout.

Examples of metrics to track include:

  • Number of detected vulnerabilities over time
  • Policy violation trends
  • Build failure rates after enforcement
  • Time to remediation

These metrics provide a baseline for evaluating improvements and guiding future adjustments.

Plan for notification before enforcement

Xray supports running policies in notification mode before blocking activity.

As part of your rollout plan:

  • Decide which policies will start in notification mode
  • Define an observation period to collect data
  • Determine criteria for moving policies to enforcement

This approach aligns with DevSecOps best practices and reduces disruption.

When to move on

Once your rollout plan is defined, you are ready to prepare and configure Xray.

Proceed to Part 3: Prepare and Configure Xray

Updated 3 months ago