feat: add JFrog Xray vulnerability scanning module

[blink-so]

This PR adds a new Terraform module that fetches JFrog Xray vulnerability scanning results for container images stored in Artifactory.

Features

• Fetches vulnerability scan results from JFrog Xray
• Outputs vulnerability counts (Critical, High, Medium, Low, Total)
• Supports flexible image path formats
• Works with any workspace type using container images
• Provides secure token handling

Design Decisions

During testing, we found two issues with the original approach of defining the xray provider and coder_metadata inside the module:

1. coder_metadata defined inside modules does not display in the Coder dashboard — this is a known limitation
2. Inline provider blocks prevent using count/for_each on the module — which is needed when attaching metadata to resources like docker_container that use start_count

The module now outputs vulnerability counts instead, and the caller creates the coder_metadata and configures the xray provider in their root template. This matches the pattern used by other registry modules.

Usage

provider "xray" {
  url                     = "${var.jfrog_url}/xray"
  access_token            = var.artifactory_access_token
  skip_xray_version_check = true
}

module "jfrog_xray" {
  source  = "registry.coder.com/coder/jfrog-xray/coder"
  version = "1.0.0"

  xray_url   = "${var.jfrog_url}/xray"
  xray_token = var.artifactory_access_token
  image      = "docker-local/codercom/enterprise-base:latest"
}

resource "coder_metadata" "xray_vulnerabilities" {
  count       = data.coder_workspace.me.start_count
  resource_id = docker_container.workspace[0].id
  icon        = "/icon/shield.svg"

  item {
    key   = "Total Vulnerabilities"
    value = module.jfrog_xray.total
  }
  item {
    key   = "Critical"
    value = module.jfrog_xray.critical
  }
  item {
    key   = "High"
    value = module.jfrog_xray.high
  }
  item {
    key   = "Medium"
    value = module.jfrog_xray.medium
  }
  item {
    key   = "Low"
    value = module.jfrog_xray.low
  }
}

Related Issues

• Resolves JFrog Xray integration coder#12838
• Addresses JFrog xray scanning module to list workspace image vulnerabilities #65

Tested with a JFrog Cloud trial instance using Docker remote repository and Xray scanning.

[matifali]

@jatcod3r can you help me test this if you have s setup ready?

[DevelopmentCats]

@jatcod3r can you help me test this if you have s setup ready?

Since there has not been any activity on this I will see if I can spin up what I need to test this out @matifali

[DevelopmentCats]

@matifali

I have tested this, and made the final updates we need for this.

If you can take a last look I can get this merged and released for us

[Copilot]

Copilot encountered an error and was unable to review this pull request. You can try again by re-requesting a review.

[Copilot]

Pull request overview

Copilot reviewed 3 out of 4 changed files in this pull request and generated 9 comments.

[matifali]

LGTM. Thanks for testing this extensively.

[DevelopmentCats]

LGTM. Thanks for testing this extensively.

No Problem!

Just for visibility in this PR, I went back to using the provider inside the module, but changed it so the metadata is defined outside the module using the outputs. It still seems to work fine, but you cant assign a count to the jfrog_xray module.

Realistically this isn't an issue because all this does is query jfrog and return existing scan results.