Try JFrog
Guides
Contact SupportTry JFrog
  1. AppTrust
  2. AppTrust Quickstart

AppTrust Onboarding Checklist

This checklist describes the essential steps to get up and running with JFrog AppTrust.

The following checklist describes the essential steps required to get up and running with JFrog AppTrust. Each step builds upon the previous step to establish a complete and secure promotion pipeline for your applications.

One-Time Setup Tasks

✅ Create a Project (Optional)

A project is a high-level unit for organizing your AppTrust resources – such as applications, policies, and lifecycle stages – often corresponding to a team or a specific business initiative. If you already have projects defined for Artifactory, then you can skip this step and use the existing projects.

  • If you need new projects for use with AppTrust, create them.

For more information: Create a Project

✅ Create Global and Project Stages

Stages represent discrete steps in your SDLC, such as DEV, QA, STAGING, and PROD. Each stage can have its own repositories and permissions. You can define stages globally (for your entire organization) or for specific projects.

  • Decide which stages should be global or project specific and create them.

For more information: Create Stages

✅ Define Your Project Lifecycle

A lifecycle is a sequence of defined stages that culminates with the release of your application version.

  • Order the lifecycle in your project to ensure a logical promotion path for your application versions.

For more information: Edit the Lifecycle

✅ Create an Application

An application is any software product developed by your organization for which you want to manage the SDLC and secure with AppTrust. This application entity will be associated with the artifacts generated by your CI/CD pipeline.

  • In the relevant project, define the software application you will be managing and securing with AppTrust.

For more information: Create an Application

✅ Bind Artifacts Using OIDC (Optional)

In AppTrust, you can bind a package to a specific application using OIDC integration. This feature enables traceability, as each package is tied to an application that in effect "owns" that package. If an issue is discovered in the package at any stage, this binding makes it easy to turn to the application owners to address the issue, thereby enhancing efficiency and accountability.

  • Integrate AppTrust with your CI/CD pipeline to create a secure link between your build process and the resulting artifacts.

For more information: Bind Packages to an Application

✅ Create Lifecycle Policies and Stage Gates

A lifecycle policy determines what conditions must be met for an application version to pass a lifecycle gate and be promoted to the next stage. A policy uses rules that you specify and enforces requirements such as vulnerability scan results, compliance checks, and quality metrics that must be met. You can apply policies to entry gates and exit gates of each stage.

  • Define criteria that must be met for application versions to pass through stage gates.

For more information: Create Lifecycle Policies

✅ Set Up Evidence (Optional)

In addition to the evidence that Artifactory and Xray create automatically when performing operations in the JFrog platform (for example, when promoting an version), you can create evidence that attests to processes performed outside the JFrog platform, and attach that evidence to an evidence subject (for example, an artifact, package, or build) deployed in Artifactory.

The recommended best practice is to attach evidence to artifacts, packages, or builds until you create an application version. At that point, any further evidence related to the artifacts, packages, or builds should be attached directly to the application version.

  • Set up evidence creation for any evidence that will be created outside of the JFrog platform.

For more information: Evidence Quickstart

Day-to-Day Management Tasks

✅ Create an Application Version

An application version bundles together all relevant artifacts and metadata from the build. A new version may be created manually in the UI, or you can use the AppTrust API to create new versions that are triggered automatically by new builds from your CI pipeline.

  • Register a new, immutable version of your application.

For more information: Create an Application Version

✅ Promote a Version

The promote action is your explicit approval to advance the version through the lifecycle. When you initiate a promotion, AppTrust evaluates the policies that you have applied to the stage gates. The evaluation process compares the evidence attestations to the relevant policies. If the evaluation is positive, then then the version is promoted.

  • Move an application version from one stage to the next after it successfully meets all policy requirements.

For more information: Promote an Application Version

✅ Release a Version

The release action is a promotion to the Production (PROD) stage. A release creates an immutable record, providing a clear audit trail of what was deployed and confirming its attestation status. A successful release action marks it as an officially Trusted Release

  • Release an application version to the final stage of its lifecycle (for example, PROD).

For more information: Release an Application Version