Try JFrog
Guides
Contact SupportTry JFrog
Start typing to search…
  1. Get Started
  2. JFrog Security Workshop
  3. Xray Workshop

Part 6: Operate Xray as Part of DevSecOps

This part of the workshop focuses on operating JFrog Xray as a continuous DevSecOps capability rather than a one-time rollout.

At this stage, Xray is actively enforcing policies and providing visibility across the software lifecycle. The goal is to integrate Xray into daily security and development workflows.

What operating Xray looks like

Operating Xray involves ongoing monitoring, collaboration, and adjustment.

Typical operational activities include:

  • Reviewing policy violations and trends
  • Monitoring build and download enforcement
  • Responding to developer questions and feedback
  • Tuning policies and scopes as needed
  • Measuring progress against defined metrics

Xray should become part of normal development and security operations.

Monitoring risk and trends

Ongoing monitoring helps ensure that Xray enforcement remains effective and relevant.

Key areas to monitor include:

  • Overall violation volume over time
  • High-severity vulnerabilities and critical licenses
  • Repositories, builds, or projects most affected
  • Newly introduced risks after releases or dependency updates

Trend analysis helps identify whether risk is decreasing and where additional focus is needed.

Using metrics to measure success

Metrics defined during planning should be reviewed regularly.

Common metrics include:

  • Reduction in critical or high-severity vulnerabilities
  • Changes in build failure rates
  • Time to remediate violations
  • Adoption of secure dependency practices

Metrics help demonstrate the value of Xray and guide future improvements.

Working with development teams

Effective DevSecOps relies on collaboration rather than enforcement alone.

When working with development teams:

  • Provide clear explanations for violations
  • Share remediation guidance where available
  • Encourage early feedback during notification phases
  • Use enforcement data to support conversations, not blame

Clear communication helps maintain trust and adoption.

Continuous policy improvement

Policies should evolve as applications, teams, and risk profiles change.

Recommended practices include:

  • Periodically reviewing policy conditions and thresholds
  • Introducing new policies in notification mode
  • Retiring outdated or redundant policies
  • Adjusting scopes as projects are added or changed

Continuous improvement keeps Xray aligned with organizational needs.

Scaling Xray across the organization

As confidence grows, Xray can be expanded to additional teams, projects, or repositories.

When scaling:

  • Reuse proven policy templates
  • Apply lessons learned from earlier rollouts
  • Gradually increase enforcement coverage
  • Monitor impact closely after expansion

This approach supports sustainable growth without overwhelming teams.

When to move on

Once Xray is operating as part of your DevSecOps workflow, you can focus on expanding your overall security posture.

Updated 3 months ago