Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Xray Workshop

Part 5: Enforce Policies and Monitor Risk

This part of the workshop focuses on moving from notification to enforcement and using JFrog Xray to actively prevent risky components from progressing through the software delivery pipeline.

At this stage, you begin enforcing selected policies while closely monitoring their impact.

Why enforcement comes after notification

Enforcement should only be introduced after policies have been evaluated in notification mode.

By enforcing policies after observation, you can:

  • Reduce unexpected build or download failures
  • Enforce policies with clear justification
  • Apply controls based on real usage data
  • Maintain trust with development teams

This phased approach is a core DevSecOps practice and is strongly recommended by Customer Success teams.

What enforcement means in Xray

When Xray policies are enforced:

  • Builds can fail when violations are detected
  • Artifact downloads can be blocked
  • Violations are recorded and tracked
  • Enforcement occurs at defined points in the SDLC

Enforcement actions depend on policy configuration and where Xray is integrated.

What you will do in this part

In this part of the workshop, you will:

  • Select policies that were evaluated in notification mode
  • Change policy actions from notify to block
  • Apply enforcement to a defined scope
  • Observe enforcement behavior during normal activity

This step focuses on controlled and intentional enforcement.

Where enforcement can occur

Xray supports enforcement at multiple stages, including:

  • During CI builds
  • During artifact promotion or release
  • During artifact download from repositories

You can choose enforcement points based on your risk tolerance and workflow requirements.

Monitoring enforcement impact

After enabling enforcement, it is important to monitor how policies behave.

Key areas to review include:

  • Frequency of blocked builds or downloads
  • Types of violations causing enforcement
  • Teams or projects most affected
  • Changes in violation trends over time

Monitoring helps identify whether enforcement is effective or requires adjustment.

Handling enforcement issues

If enforcement causes unexpected disruption:

  • Review the policy conditions and scope
  • Consider narrowing scope or adjusting thresholds
  • Temporarily return policies to notification mode if needed
  • Communicate clearly with affected teams

The goal is to improve security without unnecessarily slowing development.

When to move on

Once enforcement is stable and understood, you can focus on long-term operation and continuous improvement.

Proceed to Part 6: Operate Xray as Part of DevSecOps


Updated 3 months ago