AppTrust Onboarding Checklist
The following checklist describes the essential steps required to get up and running with AppTrust. Each step builds upon the previous step to establish a complete and secure promotion pipeline for your applications.
Procedure | Description | For more information |
|---|---|---|
Create a project | A project is the foundational container for your AppTrust resources. It acts as a top-level namespace to organize your applications, policies, and lifecycle stages, often corresponding to a team or a specific business initiative. | |
Create global and project stages | Stages are logical entities within JFrog that represent discrete steps in your organization's Software Development Lifecycle (SDLC), such as DEV, QA, STAGING, and PROD. Each stage is configured with its own set of associated repositories and permissions. Project stages belong to a specific project. Global stages can be used by all projects. | |
Define your project lifecycle | A lifecycle is a sequence of defined stages in the SDLC that culminate with the release of your application version. Ordering your lifecycle ensures a logical promotion path for your application versions. | |
Create an application in the project | Define the specific software application you will be managing and securing with AppTrust. This application entity will be associated with the artifacts generated by your CI/CD pipeline. | |
Modify the pipeline to bind artifacts using OIDC | Integrate AppTrust with your CI/CD pipeline to create a secure link between your build process and the resulting artifacts. This crucial step uses OIDC to ensure that artifacts are verifiably associated with a specific build and source code commit. | |
Create lifecycle policies on the gates | Define security and quality criteria that must be met for application versions to pass through stage gates. The policies defined for each gate can include rules to enforce requirements such as vulnerability scan results, compliance checks, and quality metrics before an application version can be promoted. | |
Create an application version | Register a new, immutable version of your application, which is typically triggered automatically by a new build from your CI pipeline. An application version bundles together all the relevant artifacts and metadata from the build that produced it. | |
Promote an application version | Move an application version from one stage to the next after it successfully meets all policy requirement defined for its current stage. The promote action represents is your explicit approval to advance the version through the stages of its lifecycle. | |
Release an application version | Release an application version to the final stage of its lifecycle (for example, PROD), marking it as an officially Trusted Release. The release action creates an immutable record, providing a clear audit trail of what was deployed and confirming its attestation status. |
Updated 3 months ago