From 1c3a119dce6573eda2dc68b7180bd735a8c1b93c Mon Sep 17 00:00:00 2001
From: Jesse Houldsworth <jesseh@jfrog.com>
Date: Mon, 8 Sep 2025 12:36:50 -0700
Subject: [PATCH] improving jas

---
 .github/workflows/ci-pipeline.yml | 14 +++++++++-----
 1 file changed, 9 insertions(+), 5 deletions(-)

diff --git a/.github/workflows/ci-pipeline.yml b/.github/workflows/ci-pipeline.yml
index 894f28ac7..561b226b8 100644
--- a/.github/workflows/ci-pipeline.yml
+++ b/.github/workflows/ci-pipeline.yml
@@ -63,14 +63,18 @@ jobs:
       #################################################
       # 5) SAST/SCA (on-demand audit; not tied to the build)
       #################################################
+      #################################################
+      # 5) SAST/SCA (Associated with a JFrog Project)
+      #################################################
+      #################################################
+      # 5) SAST/SCA (Associated with an Xray Watch)
+      #################################################
       - name: JFrog Audit (SAST & SCA)
-        # Add build info to associate results with the published build
-        # Add --fail=false so the pipeline doesn't stop here.
-        # Let Xray Policies and Watches determine the build status later.
+        # Associate the scan with one or more Xray Watches for policy enforcement.
+        # This is the correct method if you are not using JFrog Projects.
         run: |
           jf audit \
-            --build-name=${{ env.JFROG_CLI_BUILD_NAME }} \
-            --build-number=${{ env.JFROG_CLI_BUILD_NUMBER }} \
+            --watches=jesseh-security \
             --fail=false
 
       #################################################