Description:
I’m currently unable to run jf build-scan because the builds must be indexed by Xray beforehand.
According to the documentation:
https://docs.jfrog.com/security/reference/update-builds-indexing-configuration
Indexing builds via the provided API requires admin-level permissions. Due to project constraints, I cannot grant admin privileges to the OIDC-mapped role used by my GitHub Actions workflows.
Current Workflow:
- I have a publish workflow that enables teams to push artifacts and build information to JFrog.
- Ideally, builds should be indexed within the same workflow, so they are immediately eligible for scanning.
Problem:
Because of the admin permission requirement:
- The workflow cannot perform indexing directly.
- Teams are forced to pre-configure indexing using the Terraform resource:
jfrog_xray_binary_manager_builds
This introduces challenges:
- Teams must create or update the Terraform resource each time a new build/artifact is introduced.
- This adds operational overhead and may not be scalable or practical in dynamic CI/CD environments.
- It is unclear whether this is the recommended or optimal approach.
Alternative Consideration:
One potential workaround is to enable wildcard-based indexing (e.g., */**), making all builds scannable by default.
This could be configured:
- One time via the UI (by an admin), or
- Via the
jfrog_xray_binary_manager_builds Terraform resource
However:
- The Terraform resource currently does not support Ant-style path patterns (*, **, ?), likely due to API limitations.
- It is unclear whether globally enabling indexing for all builds has any unintended consequences (e.g., performance, cost, or security implications).
Request for Guidance:
Could you please advise on the following:
- What is the recommended approach for enabling build indexing in environments where admin permissions cannot be granted to CI/CD roles?
- Is wildcard/global indexing a safe and supported solution in production environments?
- Are there any alternative patterns or best practices to streamline indexing without introducing Terraform dependency per build?
- Is there any plan to support wildcard patterns in the Terraform resource or API?
Any guidance or recommended best practices would be greatly appreciated.
Description:
I’m currently unable to run
jf build-scanbecause the builds must be indexed by Xray beforehand.According to the documentation:
https://docs.jfrog.com/security/reference/update-builds-indexing-configuration
Indexing builds via the provided API requires admin-level permissions. Due to project constraints, I cannot grant admin privileges to the OIDC-mapped role used by my GitHub Actions workflows.
Current Workflow:
Problem:
Because of the admin permission requirement:
jfrog_xray_binary_manager_buildsThis introduces challenges:
Alternative Consideration:
One potential workaround is to enable wildcard-based indexing (e.g., */**), making all builds scannable by default.
This could be configured:
jfrog_xray_binary_manager_buildsTerraform resourceHowever:
Request for Guidance:
Could you please advise on the following:
Any guidance or recommended best practices would be greatly appreciated.