Part 3: Prepare and Configure Xray

This part of the workshop focuses on preparing your environment and configuring JFrog Xray so that it can analyze artifacts, builds, and dependencies across your software delivery pipeline.

The goal of this step is to ensure Xray is correctly set up and connected before policies are evaluated or enforced.

What preparing Xray involves

Preparing Xray includes ensuring that:

• Xray is enabled and operational
• Required repositories, builds, and projects are indexed
• Permissions and access controls are in place
• Key integrations with CI/CD workflows are available

This preparation step ensures that scan results and policy evaluations are accurate and meaningful.

Ensure Xray is enabled and running

Before continuing, confirm that:

• Xray is enabled in your environment
• Xray services are running normally
• Artifactory is connected to Xray

Xray relies on Artifactory metadata and build information to perform analysis.

Sync the vulnerability and license databases (Self-Hosted)

Before running policies or reviewing scan results, ensure Xray has completed its database synchronization. Xray relies on synchronized vulnerability and license intelligence to analyze artifacts, builds, and dependencies accurately.

DB sync is required to:

• Populate vulnerability and license intelligence data
• Produce meaningful scan results and violations
• Ensure policy evaluation is based on up-to-date information

After enabling Xray, confirm that database synchronization is complete before moving forward with policy evaluation and notification mode.

Configure access and permissions

Ensure you have appropriate permissions to work with Xray.

You should be able to:

• Create and manage security policies
• Configure watches and scopes
• View violations and audit data
• Access build and artifact information

Proper access control ensures that only authorized users can manage security enforcement.

Decide what Xray should analyze (Indexing Resources)

Xray can analyze multiple types of resources.

As part of configuration, decide which of the following will be included:

• Artifacts stored in repositories
• Builds produced by CI/CD pipelines
• Dependencies resolved during builds
• SBOMs, if applicable

Starting with a limited and well-defined scope helps reduce noise and simplify evaluation.

Prepare repositories and projects

Ensure that:

• Repositories are correctly configured in Artifactory
• Relevant projects are identified
• External package resolution is functioning as expected

Xray evaluates risk based on the components used in these repositories and projects.

Connect Xray to CI/CD workflows

Xray integrates with CI/CD pipelines to analyze builds and provide early feedback.

As part of preparation:

• Confirm build information is published to Artifactory
• Identify where Xray analysis will occur in the pipeline
• Decide whether feedback will be provided during build, promotion, or release stages

This enables Xray to support early detection and policy enforcement.

When to move on

Once Xray is configured and connected to your environment, you are ready to evaluate policies without enforcement.

Proceed to Part 4: Run Xray in Notification Mode (Dry Run)