The need to protect your software and to be updated about vulnerabilities is expanding. JFrog Xray is unique in its capabilities to perform analysis of all the binaries you are consuming in your project. It works with Artifactory to perform a deep analysis of binary components at any stage of the application lifecycle. Xray provides great visibility into issues lurking in components anywhere in your organization and there are many cases where you wish to get notified on a security violation (or a license breach) directly to Slack.
The project uses Express.js, a minimal and flexible Node.js framework that includes a myriad of HTTP utility methods for quickly creating robust APIs. We also use the Body Parser package, which is Node.js middleware that allows us to process any POST requests we receive.
Before we start, you can fork the code from *github.com/greenido/jfrog-xray-2-slack-example *
Now, you want to check the routes.js file and see the end-point that is being used:
/xray/api – Get the notification from Xray and send messages to Slack. Each violation will be sent as one message. To make it more efficient we aren’t sending all the issues’ data per violation.
However, if you wish to get more information, please feel free to fork this project and add fields to the message.
Defined Xray’s Webhook by following these steps or see below here at step #5.
Copy this project and change:
Create a Slack App by following this tutorial on Incoming Webhooks For Slack
Check and see the channel you defined at #3 for incoming notification.
Configure the webhook and attach it to a policy.
B. Open the Admin panel and under “Xray Security & Compliance” you will see the option to define Webhooks:
C. You will get this screen, so you can add or edit your Webhooks
D. Enter the URL end-point of your server. If you are using authentication (which is recommended) you need to enter the user/password.
E. Open a policy with rules like in the example below.
F. On each rule you need to see that you attached the Webhook:
That is it on the Xray side of the house.
- Over on Slack – the messages should look like this:
Psst… If you wish to be up and running without the need to install anything you can take this project and ‘remix’ it to create your own version. This will give you the option to have a server up and ready without the need to install it on your own.
Please feel free to improve this project with ideas and pull requests.
If you have your own data that you want Xray to use – check how to create your custom integration with Xray. This option will give you the ability to enrich Xray’s data. All the details are in this post.
Be safe and updated!
Posted on by: