Migration arc
From Xray to Chainsaw in 90 days. Artifactory keeps running.
Storage, identity, build promotion, replication — untouched. The install-path policy surface moves to Chainsaw on a ladder, one watch and one business unit at a time. Any week, any BU rolls back with a single Rego edit.
Scope
What gets touched. What does not.
Touched
- Install-path routing in front of Artifactory.
- Xray watches (mirrored, then laddered off).
- Xray policies (re-expressed in Rego).
- K8s Gatekeeper / OPA policies for package admission.
- CI policy gates that today call Xray.
Not touched
- Artifactory storage layer.
- Artifact identity and namespacing.
- Build promotion workflow.
- Replication and JFrog Distribution edges.
- Existing webhook destinations.
90-day arc
Week-by-week
| Capability | Xray Existing policy surface | Chainsaw Install-path refusal |
|---|---|---|
| Week 1–2 · Monitor in front of one BU Chainsaw deployed in front of Artifactory for a single business unit. Monitor mode. Mirrors one existing Xray watch — same packages, same policy intent. | Xray enforce | Chainsaw monitor (mirrored watch) |
| Week 3–4 · Side-by-side decision diff Dashboard surfaces per-package verdicts from Xray and Chainsaw. False positives flow through Billy approval queue. Rules tuned via Bayesian feedback. | Xray enforce | Chainsaw monitor + diff |
| Week 5–6 · First flip Flip the mirrored watch: Chainsaw enforce on the install path, Xray drops to monitor on the same signals. | Xray monitor | Chainsaw enforce |
| Week 7–8 · Second BU + retire first Xray watch Extend to BU #2. Turn off the original Xray watch — it has been redundant for two weeks. | Xray watch off (BU #1) | Chainsaw enforce (BU #1 + BU #2) |
| Week 9–10 · K8s admission migrated Gatekeeper / OPA policies for package admission re-expressed in the same signed Rego bundle. One policy, one audit row across PR, install, admission, runtime. | Gatekeeper retired for package policies | Chainsaw same-Rego admission |
| Week 11–12 · Roll forward Remaining BUs onboard on the same template. Xray watches ladder off as their Chainsaw equivalents reach enforce. | Xray watches laddered off | Chainsaw federated across BUs |
Decommission ladder
Xray watch → Chainsaw equivalent → when it comes off
| Capability | Xray construct What is in place today | Chainsaw equivalent With decommission target |
|---|---|---|
| Vulnerabilities watch CVE-driven block / warn on cached artifacts. | Xray vulnerabilities watch | Chainsaw CVE rule + 25-signal compound rules. Decommission target: week 6. |
| License watch License-policy enforcement. | Xray license watch | Chainsaw license rule, same Rego. Decommission target: week 6. |
| Operational-risk watch Maintainer activity, package age, abandonment heuristics. | Xray operational-risk watch | Chainsaw publish-velocity, dormant-wake, first-publish risk signals. Decommission target: week 8. |
| Custom policy Bespoke org rules layered on Xray. | Xray custom policy | Customer Rego in signed policy bundle. Decommission target: week 10. |
| Build-scan integration Scan-on-build gate inside Artifactory build info. | Xray build-scan | Chainsaw PR + install gate with same Rego. Decommission target: week 10. |
Rollback path
Any week, any BU.
Chainsaw carries a monitor-only flag per BU and per rule. Flipping it returns Chainsaw to passive observer; Xray policies have not been retired yet at that point in the ladder, so the prior enforcement state remains live. The rollback is a single Rego edit on the signed policy bundle. No redeploy, no artifact moves.
Preserved investment
What you do not lose.
- Artifactory storage, identity, replication. Continue as-is.
- Existing Xray-licensed seats. Roll forward through the renewal — the storage-tier value is intact while the policy surface migrates.
- Audit history. Exports from Xray are preserved alongside the new signed audit row Chainsaw writes from week 1.
- Build promotion. Untouched; Chainsaw evaluates on install, not on promotion.
Joint-evaluation kit
What lands in your inbox before the scoping call.
- Reference architecture: Chainsaw in front of Artifactory, federation across BUs.
- Side-by-side decision diff template (per-package Xray verdict vs Chainsaw verdict).
- Sample Rego rules — CVE, license, install-script exfiltration, maintainer takeover, publish-velocity.
- Mapping doc: Xray watch type → Chainsaw rule, with decommission week.
- Rollback runbook.
Renewal just signed?
The 90-day arc preserves it.
Chainsaw runs in front of Artifactory while Xray stays live. The decommission ladder retires watches one at a time, only after their Chainsaw equivalents have been in enforce for two weeks. Artifactory storage and identity remain on JFrog.