JFrog Azure DevOps Extension

The JFrog Extension integrates your Azure DevOps pipelines with the JFrog Platform. It lets you build, secure, and distribute software while capturing full traceability of every artifact, dependency, and environment variable across your CI/CD workflow.

📘

Node.js requirements (task execution)

JFrog extension tasks are Node-based Azure Pipelines tasks. They run on the Node.js execution handler bundled with your Azure Pipelines agent—not on Node.js you install for application builds.

Supported task handlers: Node 10, Node 20, and Node 24. Azure Pipelines automatically selects the highest handler available on the agent. Node 22 is not currently supported.

  • Microsoft-hosted agents: Node handlers are managed by Azure DevOps. No action required.
  • Self-hosted agents: Use agent version 4.248.0 or later for Node 20 support and 4.265.1 or later for Node 24 support. Keep agents updated as Microsoft deprecates older Node handlers. See Node.js runners in Azure Pipelines.

To force a specific handler for all Node-based tasks, set the pipeline variable AGENT_USE_NODE20_1 to true (Node 20) or AGENT_USE_NODE24 to true (Node 24). If your agent lacks a required handler, use the NodeTaskRunnerInstaller@0 task in your pipeline.

Note: Node.js used for npm builds (for example, with the JFrog npm task) is a separate requirement. See the GitHub documentation for build agent setup.

Why Use the JFrog Extension

The extension captures information about deployed artifacts, resolved dependencies, and environment data associated with your build runs. This build-info is published to JFrog Artifactory, giving you fully traceable builds and a clear chain of custody from source to production.

What You Can Do

Build and Resolve Dependencies

Use JFrog Artifactory as the binary repository manager for your builds. The extension provides dedicated pipeline tasks for the following package managers:

  • Maven
  • Gradle
  • npm
  • NuGet and .NET Core
  • Pip
  • Go
  • Conan

You can also upload, download, copy, move, and delete generic artifacts using File Specs.

Secure and Scan

Identify vulnerabilities before they reach production with JFrog Xray:

  • Audit project dependencies — Scan your local project's dependency tree for security vulnerabilities.
  • Scan published builds — Trigger a security scan on builds that have been published to Artifactory.
  • Scan Docker images — Scan local Docker images and view results directly in the build log.

Publish and Track

Gain full visibility into what was built, how it was built, and where it was deployed:

  • Publish build-info — Capture and publish build metadata to Artifactory, including artifacts, dependencies, and environment variables.
  • Collect build issues — Automatically collect tracked issues (for example, from JIRA) by matching git commit messages and attach them to your build-info.
  • Promote builds — Promote builds from one Artifactory repository to another to support your artifact lifecycle.
  • Discard old builds — Clean up outdated build runs from Artifactory based on retention policies.

Manage and Distribute

Manage your release lifecycle with JFrog Distribution:

  • Create, update, sign, and distribute Release Bundles to edge nodes.
  • Push and pull Docker images to and from Artifactory docker repositories.

Automate with JFrog CLI

Run any JFrog CLI command directly from your pipeline using the JFrog CLI V2 task. The task uses pre-configured connection details from your Azure DevOps service connections, so there is no need to pass credentials in your pipeline YAML.

Get Started

Read the full documentation for installation steps, service connection setup, task configuration, YAML examples, and OpenID Connect (OIDC) authentication.