Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Xray Workshop

Part 4: Run Xray in Notification Mode (Dry Run)

This part of the workshop focuses on running JFrog Xray in notification mode, also referred to as dry run mode.

Notification mode allows you to evaluate security and license policies without blocking builds or downloads. This step is critical for understanding policy impact before enforcement.

Why notification mode is important

Enforcing policies without prior visibility can disrupt development workflows and slow delivery.

Running Xray in notification mode allows you to:

  • Observe how policies behave in real usage
  • Identify high-impact policies before enforcement
  • Detect false positives or unexpected violations
  • Build confidence across security and development teams

We strongly recommend running policies in notification mode before enabling blocking.

What notification mode does and does not do

When Xray policies are configured in notification mode:

  • Violations are detected and recorded
  • Builds and downloads are not blocked
  • Developers continue working without interruption
  • Audit and violation data is generated for review

Notification mode is used for evaluation only and does not enforce blocking actions.

What you will do in this part

In this part of the workshop, you will:

  • Create or enable security and license policies in notification mode
  • Apply policies to a defined scope
  • Allow normal build and download activity to continue
  • Review violations and audit data over time

This step focuses on collecting data rather than taking action.

What to observe during notification mode

While policies are running in notification mode, review:

  • Frequency of detected violations
  • Types of vulnerabilities or licenses triggering violations
  • Repositories, builds, or projects most affected
  • Repeated or recurring violation patterns

This information helps determine which policies are ready for enforcement and which may require refinement or scoping.

How long to run notification mode

To gather meaningful results:

  • Run policies in notification mode for a defined observation period
  • Avoid frequent policy changes during this time
  • Ensure normal CI/CD and development activity continues

The goal is to establish a realistic baseline for policy impact.

When to move on

Once you are comfortable with the observed results, you are ready to introduce enforcement.

Proceed to Part 5: Enforce Policies and Monitor Risk

Updated 3 months ago