Export Violations From JFrog Xray to CSV

Ido Green - Feb 28 '20 - - Dev Community

The trend of#DevSecOps is growing fast and it is no longer just part of your security team. More and more organizations wish to integrate their security team in all the phases of development and operations. To achieve it, there are cases where you need to export data from JFrog Xray (in our case to a CSV format) so you can ingest it to your current logging/monitoring system.

What is Xray?

In a nutshell, JFrog Xray works with JFrog Artifactory to perform a deep analysis of binary components at any stage of the application lifecycle. It provides full transparency that leads to more trust in your software.

By scanning binary components and their metadata, recursively going through dependencies at any level (think on the layers you have in any Docker container), JFrog Xray provides great visibility into issues lurking in components anywhere in your organization.

Xray API

One of the best parts is that JFrog Xray is also fully automated through a rich REST API. We will use it to create this Exporter. Please feel free to clone/fork the code below and use it, but remember you might need to add pagination and a watchdog for a real system.

Code

Demo

Demo page

Demo Code

Docker

🐸 You can run it with this Docker Image as well. It’s just one line:

docker run -v /tmp/xray-csv/:/home/node/app/xray-csv  --env-file .env -p 80:8080 -d greenido/jfrog-xray-exporter-csv
Enter fullscreen mode Exit fullscreen mode

All you need is to make sure that /tmp/xray-csv/ is a valid direction on your machine as this is the place the CSV files will be stored.

You need to fill the .env file with the following fields:

      BASE_URL=ip-address:port/xray

      XRAY_USER=Your-user

      XRAY_PASS=the-password

      EXPORTER_PORT=8080

      # Query params
      MIN_SEVERITY=Low
      VIO_LIMIT=2500
Enter fullscreen mode Exit fullscreen mode

Be safe and happy!

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .