Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Curation Workshop

Part 4: Estimate Policy Impact Using Dry Run

This part of the workshop focuses on evaluating the impact of security and license policies without enforcement by using dry run mode.

Goal: Assess the overall impact of the Curation operation on developers and security teams. The Curation process will restrict developers from using certain packages based on established Curation policies. This may introduce new tasks for both development and security teams that should be evaluated before implementing changes on a large scale.

Policy Impact Assessment: Dry Run Curation offers a "dry-run" mode to facilitate this evaluation. Configuring policies with dry-run action allows you to identify violations without enforcing blockage on developers. Any violations will be recorded in the Dry-Run tab of the Audit Events window, which shows a comprehensive list of all packages that violate the active policies.

Run the policies for one to two weeks and assess the impact, inspecting the number of flagged packages for every policy:


Recommended policy for Dry-Run implementation:

  1. CVE with CVSS score of 9 or above (with or without a fix version available) - Blocks 3rd party package versions with a known vulnerability whose NVD CVSS score is 9 or above, regardless of whether a newer version that fixes the vulnerability is available.
  2. Package version is immature (permissive) - Detects 3rd party packages whose version release date is less than 2 days old.
  3. Package version is aged (no newer version identified) - Detects and blocks 3rd party package versions whose release date is more than 2 years old and no newer version of the package exists.
  4. Package has no identified license - Blocks 3rd party package versions that lack an identified license.
  5. DockerHub Official Only - Enforces that docker images that are being pulled are only coming from Official Repositories to avoid less trusted sources.

Once the impact has been thoroughly assessed, the policies can be fine-tuned (increase or decrease the intensity) to suit your needs. After that, Blocking policies should be implemented.

When to move on

Once you have reviewed dry run results and are comfortable with the observed impact, you are ready to move from observation to enforcement.

Proceed to Part 5: Apply Organization-Wide Blocking Policies

Updated 3 months ago