For Developers and Project Managers

Artifacts, Packages, and Repositories

A software artifact is any item produced during the development of software, such as source code, compiled binary executables, metadata libraries, configuration files, build scripts, logs, licenses, diagrams, or documents.

Artifacts are often bundled into packages - for example, developers integrate open-source software that provides utilities and other functions. These open source packages contain all the artifacts needed to integrate and run the software.

A repository is a place to organize your artifacts and packages into a cohesive, organized group that supports a development project. Developers download resources and upload new artifacts in the project's repositories over the course of development.

While developers build quality software, DevOps teams ensure that the artifacts developers create and use are stored in repositories that provide secure, centralized management and easy retrieval at any stage in the Software Development Lifecycle (SDLC).

When you plan and create repositories in Artifactory, ask yourself:

• What type of artifacts or packages do I need? Typically operating systems, runtime environments, languages, and protocols each dictate their own artifact structure. JFrog Artifactory provides customized repositories to efficiently handle a wealth of common packages and data structures.

• How do I want to manage these artifacts? Artifactory lets you deploy every repository in one of the following ways:

  • Local repositories store and manage the build artifacts, binaries, and other packages that you generate or upload internally (sometimes referred to as first-party and second-party artifacts).
  • Remote repositories serve as caching proxies for repositories managed at a remote URL, such as a public registry. These repositories contain artifacts that originate outside your environment.
  • Virtual repositories combine an unlimited number of local and remote repositories to create controlled domains per team, per project, or per location.
  • Federated repositories synchronize their contents with other repositories across several sites.

DevSecOps: Integrated Security in the Development Process

All JFrog subscriptions integrate the following security components to ensure the integrity of data in your repositories, and enhance security over the software development lifecycle.

• JFrog Xray

  JFrog Xray is a Software Composition Analysis (SCA) tool that scans files and analyzes source code binaries to identify vulnerabilities and malicious packages, and operational issues such as license risks and dependencies. Xray is natively integrated within the Artifactory binary management service.

• JFrog Curation and JFrog Catalog

  JFrog Catalog is a centralized repository for OSS packages and CVEs, enriched with security, compliance, and risk insights. It offers deep visibility into package vulnerabilities, dependencies, and licensing, serving as a single source of truth for managing the software supply chain.
  Based on Catalog, JFrog Curation scans user requests to import packages into repositories. Curation identifies and blocks vulnerable, malicious, or problematic packages when users first request them - before they can enter the development environment.

Xray and the Curation catalog are constantly updated with advanced threat information from JFrog Security Research.

Watches and Policies

These tools let you create custom security policies triggered by repository usage.

• Xray lets you define policies that check license and other package compliance factors, then automatically invoke them with various repository usage triggers.
• Curation lets you define risk assessment policies and scope them to particular repository contents.

Projects: Environments and User Roles

Every software development project combines:

• Resources - the artifact repositories, builds, and Distribution bundles consumed and created during the project.
• Users in various Roles - the developers, testers, and administrators who contribute to the software project.

The projects you define in JFrog Platform follow this natural pattern. In the JFrog Platform:

Role-Based Access Control (RBAC) lets you define administrative and contributor roles, and limit the actions permitted to users who are assigned the role. You can define Global roles that are available to all projects you create on the JFrog Platform, and Project roles specific to one project.

An environment groups together the resources and user roles related to a specific area of development or a sub-stage of a larger project. For example, you may want to define an environment with User Roles and Resources related to Testing and QA, or an environment that supports a specific team or technology area. Defining environments makes it easy to manage the resources and users associated with a specific phase, function, or expertise of development.

A project groups together the resources and user roles needed throughout the SDLC of a specific development goal. Typically a project combines previously defined user roles and environments with resources, users, and roles specific to the project. You can define Xray watches that apply security policies to projects.

You can combine these management definitions to support any development/build/release process, from the simplest to the most complex.

Who defines environments and roles?

That depends on how your organization integrates and uses JFrog tools, and on the roles and permissions that are defined. Typically:

• Your JFrog administrator or DevOps administrator defines environments and basic global roles.
• Project Managers and team leaders work with DevOps or JFrog administrators to define project-specific resources and roles.
• The relevant permissions and resources are made available to project participants based on their roles and the current phase of development.

For more information: Getting Started with Projects