UPDATE: As of swampUP 2023, Release Lifecycle Management includes the ability to create Xray policies to block promotion and/or distribution of Release Bundles that contain malicious packages, CVEs, etc. Read on for more information about Release Lifecycle Management.
Every organization has a process for building and releasing software. Smaller organizations may run a few automated tests before releasing, while larger organizations may have 100s of scans, validations, and approvals spanning everything from technical to legal. Whatever the process is, the end goal is the same: software that’s mature enough for release.
The challenge is that this process is complicated, messy, and often created in an ad hoc way, changing as organizations evolve. Different tools are used across different teams and stages of the SDLC. There may be manual steps and custom integrations between tools, and multiple packages and components to wrangle together to perform the release.
In a world where threats exist outside and within organizations, and software supply chain attacks have increased by 40% from 2021 to 2022, this status quo won’t suffice. Teams need a single source of truth that gives them full visibility into the release process, controls that ensure the integrity of the software being released, and automation wherever possible to lessen the inherent risk of human error.
Building Trust and Automating Software Releases
At JFrog, we’re establishing a “release-first” approach to software supply chain management. By focusing on the outcome of software development (i.e. the software release), we can build backwards by first asking the question, “What does it take to release verifiably secure and trusted software?”
Here’s our answer: there are six core components necessary to serve as the single source of truth for secure, trusted software released for consumption:
- Defining the release with all of the included packages and components of varying technologies as an immutable entity as early as possible
- Configuring “environments” that match an organization’s release lifecycle stages and containing the necessary repositories for the components contained within a release
- Capturing evidence in a single place of actions taken to ensure security and quality by the various teams and tools leveraged across the SSC
- Ability to seamlessly promote a release from one environment to another, and not rebuilding at any point in the release process
- Policies to control how or when a release advances, including security checks, license validations, and operational requirements
- Distributing a release where needed for consumption, and ensuring a trusted chain of custody to the very “last mile” of software delivery
Announcing: Release Lifecycle Management in JFrog Artifactory
JFrog has long supported organizations to better manage how software matures through the software supply chain. First came JFrog Artifactory, next came Build Info, and later we introduced the concept of a Release Bundle. Together, these tools have been adopted by some of the largest, most sophisticated software organizations in the world.
Release Lifecycle Management in JFrog Artifactory is a big step forward in our release-first approach. With Release Lifecycle Management comes new and enhanced Artifactory capabilities that provide the building blocks to standardize release management and better secure your software supply chain.
Release Lifecycle Management builds on this existing toolset and takes it one abstraction layer higher, making it easier for organizations to adopt these best practices while laying the groundwork for even more powerful capabilities to come.
What Release Lifecycle Management means for JFrog users
One of the biggest changes associated with this release is the introduction of our updated Release Bundle, which we’re calling Release Bundle v2 (RBv2). RBv2 brings the Release Bundle concept into Artifactory and allows users to define the potential release as a single immutable entity composed of multiple build outputs, packages, and files early in the SDLC. That entity can then be treated as a single unit as it advances towards distribution, production, or consumption.
Today, Release Lifecycle Management enables organizations to:
- Configure custom environments to align with their release lifecycle stages and assign the necessary repositories for the components contained within a release
- Create a signed, immutable Release Bundle (RBv2) early in the SDLC, which defines the potential release candidate with all of the included packages and components of varying technologies
- Promote a Release Bundle to a target environment (SDLC Stage) without the need for custom scripts
- Create and apply Xray policies to block promotion and/or distribution of release bundles
- Distribute a Release Bundle to a Distribution Edge for optimized consumption
- Capture metadata for traceability and reporting of actions taken against the Release Bundle
By adopting these new Release Lifecycle Management capabilities, DevOps teams benefit from:
- Enhanced traceability, including the status of every release (i.e. who promoted, what stage it’s in, when it was promoted)
- Easier automation due to higher level abstractions (i.e. you tell Artifactory where you want to promote the Release Bundle and it takes care of the rest)
- Stronger security and reduced chance of mistakes because everything is encapsulated in an immutable, signed Release Bundle (i.e. there are no left overs or partial releases, so you can’t break the release as it matures)
- A single system of record for all software your teams create
Best of all, portions of these new capabilities are available across JFrog subscription tiers, so even Pro accounts can take advantage of them. And like all JFrog capabilities, actions such as create Release Bundle, promote and distribute Release Bundle can be triggered from within our UI, CLI, or via CI tools thanks to our CI plugins.
What’s next for Release Lifecycle Management
As exciting as these new capabilities are, we’re even more excited about what this functionality enables us to build.
New dashboards to easily visualize the status of all your releases, including bottlenecks, are already underway. We’re also starting to look at collecting and storing third-party evidence of actions taken against software as it matures.
But we can’t create this world in a vacuum. We need your guidance to understand how you’re using these features, and what valuable use cases they power. So, try out these new capabilities and give us your feedback. Together, we’re building the ultimate platform for software supply chain management.