### Install and Build Provider
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/CONTRIBUTIONS.md
Run `make install` to compile the provider and install it locally. This command bumps the minor version but does not create a new tag.
```bash
make install
```
--------------------------------
### Generate Documentation
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/CONTRIBUTIONS.md
After making changes to resource schemas, install `tfplugindocs` and run `make doc` to regenerate the project documentation.
```bash
make doc
```
--------------------------------
### Terraform Import Example
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/custom_curation_condition.md
Demonstrates how to import an existing custom curation condition into Terraform management using its ID.
```bash
terraform import xray_custom_curation_condition.cvss_condition 29
```
--------------------------------
### Example Usage of xray_binary_manager_release_bundles_v2
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/binary_manager_release_bundles_v2.md
Configure Release Bundles V2 for indexing. Specify the binary manager ID and a list of release bundles to be indexed. Currently, Ant-style path patterns are not supported.
```terraform
resource "xray_binary_manager_release_bundles_v2" "my-indexed-release-bundles" {
id = "default"
indexed_release_bundle_v2 = ["my-release-bundle-1", "my-release-bundle-2"]
}
```
--------------------------------
### Create a licenses report for builds with patterns
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/licenses_report.md
This example demonstrates creating a licenses report for builds, filtering by component, artifact, license patterns, and scan date. It also shows how to include or exclude build patterns and specify the number of latest versions.
```terraform
resource "xray_licenses_report" "build-report" {
name = "build-licenses-report"
resources {
builds {
include_patterns = ["build-*", "release-*"]
exclude_patterns = ["test-*", "dev-*"]
number_of_latest_versions = 5
}
}
filters {
component = "*node*"
artifact = "*web-app*"
unknown = false
unrecognized = false
license_patterns = ["*GPL*", "*MIT*"]
scan_date {
start = "2023-01-01T00:00:00Z"
end = "2023-12-31T23:59:59Z"
}
}
}
```
--------------------------------
### Get GNU sed Info on macOS
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/CONTRIBUTIONS.md
After installing `gnu-sed` with brew on macOS, use `brew info gnu-sed` to get installation details and instructions for adding it to your PATH.
```bash
$ brew info gnu-sed
```
--------------------------------
### Create an Ignore Rule for a Release Bundle V2
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/ignore_rule.md
This example demonstrates ignoring CVEs and vulnerabilities for a release bundle using the V2 naming convention. Ensure the name follows the `releaseBundleV2://` format.
```terraform
resource "xray_ignore_rule" "ignore-rule-2590577" {
notes = "notes"
expiration_date = "2026-04-06"
cves = ["any"]
vulnerabilities = ["any"]
release_bundles_v2 {
name = "releaseBundleV2://fake-name"
version = "fake-version"
}
}
```
--------------------------------
### Example Usage of JFrog Xray Provider
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/index.md
This is a basic example of how to configure and use the JFrog Xray provider in Terraform. Ensure you have the necessary credentials set up.
```terraform
provider "xray" {
# Configuration options like server_url, username, password, etc.
# See the provider documentation for available configuration arguments.
}
```
--------------------------------
### Create a vulnerabilities report for release bundles
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/vulnerabilities_report.md
This example demonstrates how to create an automated vulnerabilities report for release bundles. It includes configuration for the report name, cron schedule, email recipients, and specifies the release bundles to be included. Advanced filters are applied to narrow down the report to vulnerable components matching '*maven*' and impacted artifacts matching '*core*', with a CVSS score between 8.0 and 10.0, published and scanned within 2023, and specific contextual analysis and runtime filters.
```APIDOC
## Resource: xray_vulnerabilities_report
### Description
Creates a vulnerabilities report for release bundles with automated generation and advanced filtering.
### Schema
#### Required
- `name` (String) - Name of the report.
#### Optional
- `cron_schedule` (String) - Schedule for automated report generation. Format: 'minute hour day-of-month month day-of-week'. Requires Xray 3.130.0 or higher.
- `cron_schedule_timezone` (String) - Timezone for cron schedule. Requires Xray 3.130.0 or higher. Only used when `cron_schedule` is set.
- `emails` (Set of String) - List of email addresses to notify when report generation is complete. Requires Xray 3.130.0 or higher.
- `filters` (Block Set) - Advanced filters. (see [nested schema](#nestedblock--filters))
- `project_key` (String) - Project key for assigning this resource to.
- `resources` (Block Set) - The list of resources to include into the report. (see [nested schema](#nestedblock--resources))
#### Read-Only
- `id` (String) - The ID of this resource.
- `report_id` (Number) - Report ID
### Nested Schema for `filters`
#### Optional
- `ca_filter` (Block Set) - Contextual Analysis Filter. Requires Xray 3.130.0 or higher. (see [nested schema](#nestedblock--filters--ca_filter))
- `cve` (String) - CVE.
- `cvss_score` (Block Set) - CVSS score. (see [nested schema](#nestedblock--filters--cvss_score))
- `has_remediation` (Boolean) - Whether the issue has a fix or not.
- `impacted_artifact` (String) - Filter by artifact name, supports wildcards.
- `issue_id` (String) - Issue ID.
- `published` (Block Set) - (see [nested schema](#nestedblock--filters--published))
- `runtime_filter` (Block Set) - Runtime Filter. Requires Xray 3.130.0 or higher. (see [nested schema](#nestedblock--filters--runtime_filter))
- `scan_date` (Block Set) - (see [nested schema](#nestedblock--filters--scan_date))
- `severities` (Set of String) - Severity levels. Allowed values: 'Low', 'Medium', 'High', 'Critical'
- `vulnerable_component` (String) - Filter by component name, supports wildcards.
### Nested Schema for `filters.ca_filter`
#### Optional
- `allowed_ca_statuses` (Set of String) - Allowed CA statuses.
### Nested Schema for `filters.cvss_score`
#### Optional
- `max_score` (Number) - Maximum CVSS score.
- `min_score` (Number) - Minimum CVSS score.
### Nested Schema for `filters.published`
#### Optional
- `end` (String) - Published to date.
- `start` (String) - Published from date.
### Nested Schema for `filters.runtime_filter`
#### Optional
- `time_period` (String) - Time period to filter by.
### Nested Schema for `filters.scan_date`
#### Optional
- `end` (String) - Scanned to date.
- `start` (String) - Scanned from date.
### Nested Schema for `resources`
#### Optional
- `release_bundles` (Block Set) - (see [nested schema](#nestedblock--resources--release_bundles))
### Nested Schema for `resources.release_bundles`
#### Optional
- `names` (Set of String) - List of release bundle names.
- `number_of_latest_versions` (Number) - Number of latest versions to include.
```
--------------------------------
### Create a malicious violations report for release bundles with weekly schedule
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/violations_report.md
This example shows how to configure a weekly automated malicious violations report for release bundles, including specific filters and email notifications.
```APIDOC
## xray_violations_report malicious-report
### Description
Creates an automated malicious violations report for specified release bundles.
### Schema
#### Required
- `name` (String) Name of the report.
#### Optional
- `cron_schedule` (String) Schedule for automated report generation (e.g., '45 12 * * FRI'). Requires Xray 3.130.0+.
- `cron_schedule_timezone` (String) Timezone for cron schedule (e.g., 'UTC'). Requires Xray 3.130.0+.
- `emails` (Set of String) List of email addresses to notify (e.g., ['security-alerts@example.com']). Requires Xray 3.130.0+.
- `resources` (Block Set) The list of resources to include in the report.
- `release_bundles` (Block Set)
- `names` (Set of String) List of release bundle names (e.g., ['release-1', 'release-2']).
- `number_of_latest_versions` (Number) Number of latest versions to consider.
- `filters` (Block Set) Advanced filters for the report.
- `type` (String) Type of filter (e.g., 'malicious').
- `watch_names` (Set of String) List of watch names (e.g., ['malware-watch']).
- `policy_names` (Set of String) List of policy names (e.g., ['malware-policy']).
- `component` (String) Component pattern (e.g., '*npm*').
- `artifact` (String) Artifact pattern (e.g., '*package*').
- `violation_status` (String) Violation status (e.g., 'Active').
- `severities` (Set of String) List of severities (e.g., ['Critical']).
- `ca_filter` (Block Set) Contextual Analysis Filter. Requires Xray 3.130.0+.
- `allowed_ca_statuses` (Set of String) List of allowed CA statuses (e.g., ['applicable', 'not_scanned']).
- `runtime_filter` (Block Set) Runtime Filter. Requires Xray 3.130.0+.
- `time_period` (String) Time period for runtime analysis (e.g., '3 days').
- `updated` (Block Set)
- `start` (String) Start date for updates (e.g., '2023-01-01T00:00:00Z').
- `end` (String) End date for updates (e.g., '2023-12-31T23:59:59Z').
#### Read-Only
- `id` (String) The ID of this resource.
- `report_id` (Number) Report ID
```
--------------------------------
### Create an operational risks report for builds with patterns
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/operational_risks_report.md
This example demonstrates creating an operational risks report for builds using include and exclude patterns. It also allows specifying the number of latest versions to consider and filtering by component, artifact, risk level, and scan date.
```terraform
resource "xray_operational_risks_report" "build-report" {
name = "build-operational-risks-report"
resources {
builds {
include_patterns = ["build-*", "release-*"]
exclude_patterns = ["test-*", "dev-*"]
number_of_latest_versions = 5
}
}
filters {
component = "*node*"
artifact = "*web-app*"
risks = ["Critical", "High"]
scan_date {
start = "2023-01-01T00:00:00Z"
end = "2023-12-31T23:59:59Z"
}
}
}
```
--------------------------------
### Create an Ignore Rule for a Specific Build
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/ignore_rule.md
This example demonstrates how to create an ignore rule that applies to a specific build, identified by its name and version. It also includes ignoring any vulnerabilities.
```terraform
resource "xray_ignore_rule" "ignore-rule-2195938" {
notes = "notes"
expiration_date = "2026-10-19"
vulnerabilities = ["any"]
build {
name = "name"
version = "version"
}
}
```
--------------------------------
### Create Operational Risk Policy with Custom Criteria
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/operational_risk_policy.md
This example demonstrates creating an operational risk policy with custom criteria, including conditions like release date, cadence, and commit counts. Configure actions like failing builds or blocking downloads as required.
```terraform
resource "xray_operational_risk_policy" "custom_criteria" {
name = "test-operational-risk-policy-custom-criteria"
description = "Operational Risk policy with a custom risk rule"
type = "operational_risk"
project_key = "testproj"
rule {
name = "op_risk_custom_rule"
priority = 1
criteria {
op_risk_custom {
use_and_condition = true
is_eol = false
release_date_greater_than_months = 6
newer_versions_greater_than = 1
release_cadence_per_year_less_than = 1
commits_less_than = 10
committers_less_than = 1
risk = "Medium"
}
}
actions {
webhooks = ["sec-webhooks"]
mails = ["test@email.com"]
block_release_bundle_distribution = false
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
fail_pull_request = true
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
```
--------------------------------
### Create License Violations Report
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/violations_report.md
Example of creating a license violations report for builds. Configurable with cron scheduling, email notifications, resource selection (builds with version limits), and specific license filters. Requires Xray 3.130.0 or higher for advanced features.
```terraform
resource "xray_violations_report" "license-report" {
name = "license-violations-report"
# Automated report generation (requires Xray 3.130.0 or higher)
cron_schedule = "00 23 * * SUN" # requires Xray 3.130.0 or higher
cron_schedule_timezone = "Europe/London" # requires Xray 3.130.0 or higher
emails = ["legal-team@example.com", "compliance@example.com"] # requires Xray 3.130.0 or higher
resources {
builds {
names = ["build-1", "build-2"]
number_of_latest_versions = 5
}
}
filters {
type = "license"
watch_patterns = ["license-watch-*"]
policy_names = ["license-policy"]
component = "*commons*"
artifact = "*utils*"
violation_status = "Active"
severities = ["High"]
# Contextual Analysis Filter (requires Xray 3.130.0 or higher)
ca_filter {
allowed_ca_statuses = [
"applicable",
"technology_unsupported",
"upgrade_required"
]
}
# Runtime Filter (requires Xray 3.130.0 or higher)
runtime_filter {
time_period = "30 days"
}
license_filters {
unknown = true
license_names = ["GPL-2.0", "AGPL-3.0"]
}
updated {
start = "2023-01-01T00:00:00Z"
end = "2023-12-31T23:59:59Z"
}
}
}
```
--------------------------------
### Create Security Violations Report
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/violations_report.md
Example of creating a security violations report for repositories. Includes configuration for cron scheduling, email notifications, resource selection (repositories with path patterns), and detailed security filters. Requires Xray 3.130.0 or higher for advanced features like cron scheduling and contextual analysis.
```terraform
resource "xray_violations_report" "security-report" {
name = "security-violations-report"
cron_schedule = "30 09 * * MON" # requires Xray 3.130.0 or higher
cron_schedule_timezone = "America/New_York" # requires Xray 3.130.0 or higher
emails = ["security-team@example.com", "devops@example.com"] # requires Xray 3.130.0 or higher
resources {
repository {
name = "docker-local"
include_path_patterns = ["folder1/path/*", "folder2/path*"]
exclude_path_patterns = ["folder1/path2/*", "folder2/path2*"]
}
repository {
name = "libs-release-local"
include_path_patterns = ["**/*.jar", "**/*.war"]
}
}
filters {
type = "security"
watch_names = ["security-watch"]
policy_names = ["security-policy"]
component = "*log4j*"
artifact = "*spring*"
violation_status = "Active"
severities = ["Critical", "High", "Medium"]
# Contextual Analysis Filter (requires Xray 3.130.0 or higher)
ca_filter {
allowed_ca_statuses = [
"applicable",
"not_applicable",
"undetermined",
"not_scanned"
]
}
# Runtime Filter (requires Xray 3.130.0 or higher)
runtime_filter {
time_period = "7 days"
}
security_filters {
issue_id = "XRAY-87343"
summary_contains = "remote code execution"
has_remediation = true
cvss_score {
min_score = 7.0
max_score = 10.0
}
published {
start = "2023-01-01T00:00:00Z"
end = "2023-12-31T23:59:59Z"
}
}
updated {
start = "2023-01-01T00:00:00Z"
end = "2023-12-31T23:59:59Z"
}
}
}
```
--------------------------------
### Terraform Xray Provider Configuration
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/README.md
Example of how to configure the JFrog Xray provider in a Terraform setup. Ensure you also configure the Artifactory resource.
```hcl
terraform {
required_providers {
xray = {
source = "jfrog/xray"
version = "~> 1.0"
}
}
}
provider "xray" {
# Your Xray configuration details here
# e.g., url = "https://your-xray-instance.com"
# client_id = "your_client_id"
# client_secret = "your_client_secret"
}
resource "artifactory_user_plugin_key" "xray_license" {
# Artifactory resource configuration
}
```
--------------------------------
### Import Binary Manager Repositories
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/binary_manager_repos.md
Import an existing Xray Binary Manager Repository Indexing configuration. The 'default' ID is used for the binary manager, and an optional project key can be appended for project-scoped configurations.
```shell
terraform import xray_binary_manager_repos.my-indexed-repos default
```
```shell
terraform import xray_binary_manager_repos.my-indexed-repos default:my-project-key
```
--------------------------------
### CVEName - Block specific CVE vulnerabilities
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/custom_curation_condition.md
This example demonstrates how to create a custom curation condition to block specific CVE vulnerabilities by their name.
```APIDOC
## xray_custom_curation_condition CVEName
### Description
Creates a custom curation condition to block vulnerabilities based on a specific CVE name.
### Parameters
#### Path Parameters
- None
#### Query Parameters
- None
#### Request Body
- **name** (string) - Required - The name of the custom curation condition.
- **condition_template_id** (string) - Required - The ID of the condition template, should be 'CVEName'.
- **param_values** (json) - Required - A JSON array of parameter values for the condition.
- **param_id** (string) - Required - The ID of the parameter, should be 'cve_name'.
- **value** (string) - Required - The CVE name to block (e.g., "CVE-2021-45105").
### Request Example
```terraform
resource "xray_custom_curation_condition" "cve_name_condition" {
name = "block-log4j-cve"
condition_template_id = "CVEName"
param_values = jsonencode([
{
param_id = "cve_name"
value = "CVE-2021-45105"
}
])
}
```
### Response
#### Success Response (200)
- **id** (string) - The ID of the created custom curation condition.
- **name** (string) - The name of the custom curation condition.
- **condition_template_id** (string) - The ID of the condition template.
- **param_values** (json) - The parameter values for the condition.
#### Response Example
```json
{
"id": "123e4567-e89b-12d3-a456-426614174000",
"name": "block-log4j-cve",
"condition_template_id": "CVEName",
"param_values": [
{
"param_id": "cve_name",
"value": "CVE-2021-45105"
}
]
}
```
```
--------------------------------
### Import Xray Binary Manager Builds Configuration
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/binary_manager_builds.md
Demonstrates how to import an existing Xray Binary Manager Builds configuration into Terraform state. The import command requires the resource name and the target ID, optionally including a project key.
```bash
terraform import xray_binary_manager_builds.my-indexed-builds default
```
```bash
terraform import xray_binary_manager_builds.my-indexed-builds default:my-project-key
```
```bash
terraform import xray_binary_manager_builds.my-builds my-builds
```
--------------------------------
### Get Artifacts Scanned by Xray
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/data-sources/artifacts_scan.md
Use this data source to fetch a list of artifacts scanned by Xray for a given repository. You can specify sorting order and offset for pagination.
```terraform
data "xray_artifacts_scan" "my_artifacts_scan" {
repo = "my-docker-local"
order_by = "repo_path"
offset = 15
}
output "my_artifacts_scan" {
value = data.xray_artifacts_scan.my_artifacts_scan.results
}
```
--------------------------------
### Create a SpecificVersions Condition with Equals Operator
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/custom_curation_condition.md
Configure a condition to block exact versions of a specific package. This example targets precise vulnerable versions of Maven's log4j-core.
```terraform
resource "xray_custom_curation_condition" "specific_versions_equals" {
name = "block-vulnerable-log4j-versions"
condition_template_id = "SpecificVersions"
param_values = jsonencode([
{
param_id = "package_type"
value = "Maven"
},
{
param_id = "package_name"
value = "log4j-core"
},
{
param_id = "package_versions"
value = {
equals = ["2.14.0", "2.15.0", "2.16.0"] # Exact vulnerable versions
}
}
])
}
```
--------------------------------
### Create an Xray License Policy (Allowed Licenses)
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/index.md
Configure a license policy to allow specific licenses, such as Apache-1.0 and Apache-2.0. This policy can be set to permissive for multiple licenses and can trigger build failures.
```hcl
resource "xray_license_policy" "license1" {
name = "test-license-policy-allowed-${random_id.randid.dec}"
description = "License policy, allow certain licenses"
type = "license"
rule {
name = "License_rule"
priority = 1
criteria {
allowed_licenses = ["Apache-1.0", "Apache-2.0"]
allow_unknown = false
multi_license_permissive = true
}
actions {
webhooks = ["xraywebhooks${random_id.randid.dec}"]
mails = ["test@email.com"]
block_release_bundle_distribution = false
fail_build = true
notify_watch_recipients = true
notify_deployer = true
create_ticket_enabled = false // set to true only if Jira integration is enabled
fail_pull_request = false
custom_severity = "High"
build_failure_grace_period_in_days = 5 // use only if fail_build is enabled
block_download {
unscanned = true
active = true
}
}
}
}
```
--------------------------------
### Create an Ignore Rule for a Specific Artifact
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/ignore_rule.md
This example shows how to create an ignore rule for a specific artifact, including its name, version, and path. Ensure the artifact path ends with a '/'.
```terraform
resource "xray_ignore_rule" "ignore-111" {
notes = "fake notes"
expiration_date = "2026-01-02"
vulnerabilities = ["any"]
artifact {
name = "fake-name"
version = "fake-version"
path = "invalid-path/"
}
}
```
--------------------------------
### Create a Gradle Local Repository
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/README.md
Sets up a local Gradle repository in Artifactory with specific checksum policies, snapshot handling, and release/snapshot management. Enable `xray_index` for Xray integration.
```hcl
resource "artifactory_local_gradle_repository" "local-gradle-repo" {
key = "local-gradle-repo-basic"
checksum_policy_type = "client-checksums"
snapshot_version_behavior = "unique"
max_unique_snapshots = 10
handle_releases = true
handle_snapshots = true
suppress_pom_consistency_checks = true
xray_index = true # must be set to true to be able to assign the watch to the repo
}
```
--------------------------------
### Create an operational risk violations report for projects with daily updates
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/violations_report.md
This example demonstrates how to create an automated operational risk violations report for specific projects, with daily generation and email notifications.
```APIDOC
## xray_violations_report operational-risk-report
### Description
Creates an automated operational risk violations report for specified projects.
### Schema
#### Required
- `name` (String) Name of the report.
#### Optional
- `cron_schedule` (String) Schedule for automated report generation (e.g., '15 06 * * *'). Requires Xray 3.130.0+.
- `cron_schedule_timezone` (String) Timezone for cron schedule (e.g., 'Asia/Tokyo'). Requires Xray 3.130.0+.
- `emails` (Set of String) List of email addresses to notify (e.g., ['ops-team@example.com']). Requires Xray 3.130.0+.
- `resources` (Block Set) The list of resources to include in the report.
- `projects` (Block Set)
- `keys` (Set of String) List of project keys (e.g., ['project-1', 'project-2']).
- `number_of_latest_versions` (Number) Number of latest versions to consider.
- `filters` (Block Set) Advanced filters for the report.
- `type` (String) Type of filter (e.g., 'operational_risk').
- `watch_names` (Set of String) List of watch names (e.g., ['ops-risk-watch']).
- `policy_names` (Set of String) List of policy names (e.g., ['ops-risk-policy']).
- `component` (String) Component pattern (e.g., '*node*').
- `artifact` (String) Artifact pattern (e.g., '*web-app*').
- `violation_status` (String) Violation status (e.g., 'Active').
- `severities` (Set of String) List of severities (e.g., ['Critical', 'High', 'Medium']).
- `ca_filter` (Block Set) Contextual Analysis Filter. Requires Xray 3.130.0+.
- `allowed_ca_statuses` (Set of String) List of allowed CA statuses (e.g., ['applicable']).
- `runtime_filter` (Block Set) Runtime Filter. Requires Xray 3.130.0+.
- `time_period` (String) Time period for runtime analysis (e.g., '24 hours').
- `updated` (Block Set)
- `start` (String) Start date for updates (e.g., '2023-01-01T00:00:00Z').
- `end` (String) End date for updates (e.g., '2023-12-31T23:59:59Z').
#### Read-Only
- `id` (String) The ID of this resource.
- `report_id` (Number) Report ID
```
--------------------------------
### Xray Repository Configuration (Basic)
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/index.md
Configures basic Xray settings for a repository, including JIT scanning and vulnerability analysis.
```APIDOC
## xray_repository_config xray-repo-config
### Description
Configures basic Xray settings for a repository, enabling Just-in-Time (JIT) scanning and vulnerability contextual analysis.
### Parameters
#### Path Parameters
None
#### Query Parameters
None
#### Request Body
- **repo_name** (string) - Required - The name of the repository.
- **jas_enabled** (bool) - Optional - Enables Just-in-Time (JIT) scanning.
- **config** (object) - Optional - Configuration block for vulnerability analysis and retention.
- **vuln_contextual_analysis** (bool) - Optional - Enables contextual vulnerability analysis.
- **retention_in_days** (number) - Optional - The number of days to retain scan data.
- **exposures** (object) - Optional - Configuration for security exposures.
- **scanners_category** (object) - Optional - Configuration for specific scanner categories.
- **secrets** (bool) - Optional - Enables secret scanning.
### Request Example
```hcl
resource "xray_repository_config" "xray-repo-config" {
repo_name = "example-repo-local"
jas_enabled = true
config {
vuln_contextual_analysis = true
retention_in_days = 90
exposures {
scanners_category {
secrets = true
}
}
}
}
```
### Response
None explicitly documented.
```
--------------------------------
### Importing xray_binary_manager_release_bundles_v2 Resource
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/binary_manager_release_bundles_v2.md
Import an existing Release Bundles V2 indexing configuration. The import command supports specifying the binary manager ID and optionally a project key.
```shell
terraform import xray_binary_manager_release_bundles_v2.my-indexed-release-bundles default
```
```shell
terraform import xray_binary_manager_release_bundles_v2.my-indexed-release-bundles default:my-project-key
```
--------------------------------
### Create a SpecificVersions Condition with Version Ranges
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/custom_curation_condition.md
Configure a condition to block packages within specified version ranges. This example targets the PyPI 'requests' package across multiple defined ranges.
```terraform
resource "xray_custom_curation_condition" "specific_versions_ranges" {
name = "block-vulnerable-requests-ranges"
condition_template_id = "SpecificVersions"
param_values = jsonencode([
{
param_id = "package_type"
value = "PyPI"
},
{
param_id = "package_name"
value = "requests"
},
{
param_id = "package_versions"
value = {
ranges = [
{"gte" = "2.0.0", "lte" = "2.19.0"}, # Range 2.0.0 to 2.19.0
{"gt" = "2.25.0", "lt" = "2.27.0"} # Range 2.25.0 to 2.27.0 (exclusive)
]
}
}
])
}
```
--------------------------------
### Create an Xray Watch for All Projects with Filters
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/watch.md
Configures a watch for all projects, incorporating Ant patterns to include or exclude specific artifacts. This allows for fine-grained control over what is monitored.
```hcl
resource "xray_watch" "all-projects-with-filters" {
name = "projects-watch"
description = "Watch all the projects with Ant patterns filter"
active = true
project_key = "testproj"
watch_resource {
type = "all-projects"
bin_mgr_id = "default"
ant_filter {
exclude_patterns = ["a*", "b*"]
include_patterns = ["ab*"]
}
}
assigned_policy {
name = xray_security_policy.min_severity.name
type = "security"
}
assigned_policy {
name = xray_license_policy.cvss_range.name
type = "license"
}
assigned_policy {
name = xray_operational_risk_policy.op_risk.name
type = "operational_risk"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
```
--------------------------------
### Create an exposures report for release bundles with IaC category
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/exposures_report.md
Generate an IaC exposure report for release bundles. This example demonstrates filtering by impacted artifact and a specific scan date range.
```terraform
resource "xray_exposures_report" "iac-report" {
name = "iac-exposure-report"
resources {
release_bundles {
names = ["release-1", "release-2"]
number_of_latest_versions = 2
}
}
filters {
category = "iac"
impacted_artifact = "*terraform*"
scan_date {
start = "2023-01-01T00:00:00Z"
end = "2023-12-31T23:59:59Z"
}
}
}
```
--------------------------------
### Initialize Xray Provider
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/index.md
Configure the Xray provider with your Artifactory URL and an access token. Environment variables can also be used for configuration. The `skip_xray_version_check` can be set to `true` to bypass version validation.
```hcl
provider "xray" {
url = "artifactory.site.com/xray"
access_token = "abc..xy"
//optional: Skip xray version check, default is false.
//skip_xray_version_check = true
// Also user can supply the following env vars:
// JFROG_URL or XRAY_URL
// XRAY_ACCESS_TOKEN or JFROG_ACCESS_TOKEN
// Optional: Skip version check, default is false.
// SKIP_XRAY_VERSION_CHECK = true
}
```
--------------------------------
### Configure Xray Basic Settings
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/settings.md
Use this snippet to configure the basic settings for Xray, including enabling/disabling features, setting timeouts for artifact scanning, and specifying the DB sync update time. Ensure `enabled` is true when `allow_blocked` or `allow_when_unavailable` are set to true.
```terraform
resource "xray_settings" "db_sync" {
enabled = true
allow_blocked = true
allow_when_unavailable = true
block_unscanned_timeout = 120
block_unfinished_scans_timeout = 3600
db_sync_updates_time = "18:40"
}
```
--------------------------------
### Create a SpecificVersions Condition with Comparison Operators
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/custom_curation_condition.md
Define a condition to block packages based on version comparison operators (less than, greater than, etc.). This example blocks outdated or specific ranges of the npm lodash package.
```terraform
resource "xray_custom_curation_condition" "specific_versions_comparison" {
name = "block-outdated-lodash"
condition_template_id = "SpecificVersions"
param_values = jsonencode([
{
param_id = "package_type"
value = "npm"
},
{
param_id = "package_name"
value = "lodash"
},
{
param_id = "package_versions"
value = {
lte = ["4.17.20"] # Less than or equal to 4.17.20
gte = ["5.0.0"]
lt = ["3.0.0"]
gt = ["6.0.0"]
}
}
])
}
```
--------------------------------
### Run Acceptance Tests
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/CONTRIBUTIONS.md
Execute `make acceptance` to run the acceptance tests for the JFrog Terraform Provider.
```bash
make acceptance
```
--------------------------------
### SpecificVersions - Block or allow specific package versions
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/resources/custom_curation_condition.md
This example demonstrates how to create a custom curation condition to block or allow specific package versions using various matching criteria like exact versions, comparison operators, and version ranges.
```APIDOC
## xray_custom_curation_condition SpecificVersions
### Description
Creates a custom curation condition to block or allow specific package versions based on package type, name, and version matching criteria.
### Parameters
#### Path Parameters
- None
#### Query Parameters
- None
#### Request Body
- **name** (string) - Required - The name of the custom curation condition.
- **condition_template_id** (string) - Required - The ID of the condition template, should be 'SpecificVersions'.
- **param_values** (json) - Required - A JSON array of parameter values for the condition.
- **param_id** (string) - Required - The ID of the parameter.
- **value** (any) - Required - The value for the parameter.
- For `package_type`: The type of the package (e.g., "Maven", "npm", "PyPI").
- For `package_name`: The name of the package.
- For `package_versions`: An object defining the version matching criteria. This can include:
- `equals` (list of strings): Exact versions to match.
- `lte` (string): Less than or equal to a specific version.
- `gte` (string): Greater than or equal to a specific version.
- `lt` (string): Less than a specific version.
- `gt` (string): Greater than a specific version.
- `ranges` (list of objects): A list of version ranges, where each object can have `gte` and `lte` (inclusive) or `gt` and `lt` (exclusive) keys.
### Request Example
```terraform
# SpecificVersions with equals operator
resource "xray_custom_curation_condition" "specific_versions_equals" {
name = "block-vulnerable-log4j-versions"
condition_template_id = "SpecificVersions"
param_values = jsonencode([
{
param_id = "package_type"
value = "Maven"
},
{
param_id = "package_name"
value = "log4j-core"
},
{
param_id = "package_versions"
value = {
equals = ["2.14.0", "2.15.0", "2.16.0"] # Exact vulnerable versions
}
}
])
}
# SpecificVersions with comparison operators
resource "xray_custom_curation_condition" "specific_versions_comparison" {
name = "block-outdated-lodash"
condition_template_id = "SpecificVersions"
param_values = jsonencode([
{
param_id = "package_type"
value = "npm"
},
{
param_id = "package_name"
value = "lodash"
},
{
param_id = "package_versions"
value = {
lte = ["4.17.20"] # Less than or equal to 4.17.20
gte = ["5.0.0"] # Greater than or equal to 5.0.0
lt = ["3.0.0"] # Less than 3.0.0
gt = ["6.0.0"] # Greater than 6.0.0
}
}
])
}
# SpecificVersions with ranges
resource "xray_custom_curation_condition" "specific_versions_ranges" {
name = "block-vulnerable-requests-ranges"
condition_template_id = "SpecificVersions"
param_values = jsonencode([
{
param_id = "package_type"
value = "PyPI"
},
{
param_id = "package_name"
value = "requests"
},
{
param_id = "package_versions"
value = {
ranges = [
{"gte" = "2.0.0", "lte" = "2.19.0"}, # Range 2.0.0 to 2.19.0
{"gt" = "2.25.0", "lt" = "2.27.0"} # Range 2.25.0 to 2.27.0 (exclusive)
]
}
}
])
}
```
### Response
#### Success Response (200)
- **id** (string) - The ID of the created custom curation condition.
- **name** (string) - The name of the custom curation condition.
- **condition_template_id** (string) - The ID of the condition template.
- **param_values** (json) - The parameter values for the condition.
#### Response Example
```json
{
"id": "123e4567-e89b-12d3-a456-426614174002",
"name": "block-vulnerable-log4j-versions",
"condition_template_id": "SpecificVersions",
"param_values": [
{
"param_id": "package_type",
"value": "Maven"
},
{
"param_id": "package_name",
"value": "log4j-core"
},
{
"param_id": "package_versions",
"value": {
"equals": ["2.14.0", "2.15.0", "2.16.0"]
}
}
]
}
```
```
--------------------------------
### Configure an Xray Watch for All Repositories
Source: https://github.com/jfrog/terraform-provider-xray/blob/main/docs/index.md
Use this configuration to create a watch that monitors all repositories. It includes filters for package type and applies security and license policies.
```terraform
resource "xray_watch" "all-repos" {
name = "all-repos-watch-${random_id.randid.dec}"
description = "Watch for all repositories, matching the filter"
active = true
watch_resource {
type = "all-repos"
filter {
type = "regex"
value = ".*"
}
filter {
type = "package-type"
value = "Docker"
}
}
assigned_policy {
name = xray_security_policy.security1.name
type = "security"
}
assigned_policy {
name = xray_license_policy.license1.name
type = "license"
}
watch_recipients = ["test@email.com", "test1@email.com"]
}
```