AppTrust Overview

JFrog AppTrust is JFrog's DevGovOps solution for application risk governance. It embeds evidence-based policy gates directly into your SDLC so that only verified, compliant application versions reach production — without slowing down your release pipeline.

AppTrust is designed for developers, release engineers, DevOps teams, AppSec engineers, and GRC and compliance leads who need continuous, auditable control over every release.

How AppTrust Works

AppTrust introduces the application as a first-class entity in the JFrog Platform. An application groups your packages, container images, and build artifacts under a single object with defined ownership, business criticality, and maturity level.

Each time you build, AppTrust creates an application version that bundles those artifacts. As the version moves through your lifecycle — for example, Dev → QA → Staging → Production — it must pass lifecycle policy gates at each stage. At the gates, AppTrust evaluates accumulated evidence from JFrog tools, your CI/CD systems, and third-party partners. Versions that fail a gate are blocked from promotion until the issue is resolved or a waiver is approved.

When a version satisfies all policy requirements and is released to production, it receives the Trusted Release badge — a cryptographically signed attestation stored in Artifactory that travels with the release as an immutable audit record. AppTrust then continues to monitor trusted releases for newly discovered CVEs.

Key Capabilities

Application Context and Ownership

AppTrust elevates artifacts from anonymous build outputs to business entities. Each application carries defined ownership, business criticality, and maturity level. Each application version exposes:

• A complete SBOM and full version timeline
• DORA delivery metrics such as deployment frequency and lead time for changes
• Reasons for failure and detailed blast radius
• Continuous CVE monitoring before and after release, with immediate blast-radius visibility when a new vulnerability is discovered

Lifecycle Stage Gates

Lifecycle policies enforce your security, quality, and compliance rules as code (OPA/Rego) at the entry and exit of each lifecycle stage. Key functional points:

• Policies can warn or block, and can be as permissive or restrictive as the stage requires
• Policies can be defined per application, project, or the entire organization
• Global policies can span multiple applications or projects from a single definition

Immutable System of Record

Evidence is cryptographically signed and bound to the artifact. This means proof travels with the release through every lifecycle stage. Audit preparation becomes a matter of retrieving the Trusted Release record, not manually correlating data across multiple tools. Every event — version creation, stage promotion, policy evaluation, release — is recorded with a timestamp and actor in the Activity Log.

Ecosystem-Wide Integrations

AppTrust unifies security and quality signals from across your toolchain. Sources include:

• JFrog-native: Xray, Advanced Security, and Runtime feed scan results as built-in evidence
• Ecosystem partners: GitHub, ServiceNow, SonarQube, Akuity, Akto, CoGuard, Gradle Develocity, and others push cryptographically signed evidence directly into AppTrust
• Custom: Any in-house tool or compliance requirement via JFrog CLI, REST API, GraphQL, or Terraform provider

Regulatory Alignment

AppTrust's evidence model is designed to support NIST SSDF, the EU Cyber Resilience Act (CRA), FedRAMP, and similar frameworks. Rego policies encode specific framework requirements directly alongside the software they govern, replacing manual audit exercises with continuous, verifiable compliance.

AppTrust Documentation

JFrog provides full documentation of the AppTrust UI, the REST API, the GraphQL API, the CLI, AppTrust integrations, and more. We recommend you start with the AppTrust Quickstart.

Where to Go Next