Scaling Software Supply Chains Securely
Get the latest JFrog Platform release
Software supply chains are mission-critical for digital businesses, and as global conditions accelerate the growth in contactless interactions and transactions, many organizations are reviewing how to solve the challenge of scaling the volume and velocity of their software development and release processes to meet the digital demand.
The latest JFrog Platform release delivers a rich payload of new capabilities to scale and enhance the software supply chain security for digital businesses. Large enterprises that rely on automation to achieve greater efficiencies will benefit from:
- Enhanced repository protection of binaries, artifacts and dependencies for multi-site, or dispersed development teams.
- Scaling DevOps project management, to meet the accelerated demand for software releases, with project-level autonomy to manage ; roles, resource thresholds and permissions across the stages of the CI/CD pipeline.
- An expanded developer ecosystem, with new Cargo package type support for the popular Rust development community.
Let’s look at each of these areas in a bit more detail.
Enhanced Repository and Registry Protection
This release expands protection for your DevOps platform in cloud and hybrid infrastructures. Platform administrators, as well as build and release teams now have additional methods to secure the software supply chain, as the JFrog Platform security and availability features now include:
- Priority resolution is now available to Nuget repositories. This fine-grain control option helps address the dependency confusion attack issues.
- Identity management across cloud services with SCIM helps make managing user identities in cloud-based applications and services easier.
- AWS PrivateLink connection for JFrog SaaS customers .
- Vault by HashiCorp support for managing encryption keys for binaries signing release bundles.
Artifactory now supports the Priority Resolution option for local and remote Nuget repositories. Setting this option declares the repository as “safe,” granting it precedence when resolving virtual repositories. Priority Resolution can be enabled in the repository management UI or through the
priorityResolution flag in the repository configuration JSON. This feature had already been supported for Docker, PyPI, RubyGems and NPM repositories.
DevSecOps teams will be happy to learn that identity access security for cloud-based applications and service just got a little easier with the addition of the System for Cross-domain Identity Management (SCIM) v2.0 protocol and schema. This will enable IT departments to automate the processes between user identity and service providers, such as Okta and Azure Active Directory (AD), to reduce the cost and complexity of user management operations across multi-cloud applications, infrastructure and services.
Vault Support for Secrets Protection
Another valuable ecosystem extension is HashiCorp Vault integration with the JFrog Platform to store signing keys (GPG keys, RSA keys, and Trusted keys) used to sign packages and JFrog distribution release bundles. Integrating HashiCorp Vault with JFrog Platform provides the capability to generate and manage keys centrally for security and compliance.
AWS PrivateLink Connections
To add further resiliency and security, private endpoints for AWS Cloud are now available with a private connection into JFrog Cloud instances without going through the public Internet.
Distributed DevOps Project Management
For larger enterprises and organizations, JFrog Projects introduces a new administrative approach for software development projects. Now, a project level administrator has complete autonomy to;
- Assign team members with roles (eg. developer, viewer, test) and,
- Resources, such as; repositories and software Bill of Materials (SBOM) , and storage.
- Manage permissions for the build as it progresses through the stages of the pipeline.
Where IT is a service, JFrog Projects comes with pre-configured DEV (development) and PROD (production) ready for the new Project Administrator to onboard the project team, and get them coding faster. Add JFrog to your IT service catalog today.
Platform Administrators will benefit from a redesigned configuration management infrastructure that distributes and enables a new role, the Project Administrator. With a few selections to customize the environment, the Administrator can quickly configure self-service onboarding of developers, manage team member roles and permissions, and integrate pre-configured resources such as binary repositories, pipeline node pools and storage thresholds. JFrog Projects solves the challenges of scaling and managing distributed development projects in larger organizations across multiple development teams and locations.
The JFrog Platform Administrator View – JFrog Projects
Expanded Developer Ecosystem
This release continues JFrog’s ongoing commitment to helping you connect with your universe of tools with more package type support and other features.
Rust Support – Cargo Repositories
With the introduction of Cargo repositories for the popular Rust programming language, the JFrog developer ecosystem expands to over 30 package types.The JFrog Platform now natively supports Cargo repositories with it’s Cargo Registry for the Rust programming language, giving developers and engineers:
- Proxy remote Cargo resources and cache downloaded Cargo packages for better response
- Metadata calculation of the Cargo packages hosted in the Artifactory for automation across the pipeline
- Version management: Archiving older versions of the packages uploaded to local repositories.
- Integration with the universal repository for all DevOps projects
Here is a small snippet from the Set Me Up to get you started.
JFrog Platform – Set Me Up and Artifactory registry snippet
We’re excited to be working with the Rust community – the number one most loved programming language as rated by the Stackoverflow 2020 survey. Please join us at SwampUp 2021 DevOps Conference.
Use the Cargo and Rust Cheat Sheet
Searching Remote Repositories
For developers using AQL, you can now search within remote repositories and search within virtual repositories for comprehensive Artifactory queries.
In addition, with the Live Logs plugin JFrog Platform events are now available to reduce the time it takes to view server logs and troubleshoot errors and incidents in the production environment.
As automated software supply chains evolve, scaling securely becomes a foundational best practice for many organizations. With this latest platform release organizations have even more solutions to secure their business critical software assets and accelerate DevOps projects.
For further details see the JFrog Artifactory Release Notes.