Complete your Software Supply Chain with GitLab CI/CD and JFrog

Integrate JFrog and GitLab CI

Software is more than building code. Developing software and ensuring quality builds requires managing a complete software supply chain. With the many security threats across the supply chain, managing each and every aspect of the software you deliver to your customers, including the entire process of how it was made, is critical to your organization. This means setting up your software release cycle to include DevOps and security best practices. The challenge is doing this as a continuous flow that is a seamless part of your software delivery.

If you’re already using GitLab as your CI workflow engine, you probably know that’s not where delivery stops. You need to complete the software supply chain feedback loop through continuous security, provenance, software distribution, edge management and more. You can accomplish this by integrating your GitLab processes with the JFrog Platform to deliver a full software supply chain management solution.

JFrog Template Gallery for GitLab CI/CD

The JFrog GitLab templates repository makes it easy to integrate and set up the JFrog Platform into your existing GitLab CI/CD, and achieve a complete software supply chain.

The templates gallery includes ready-to-use templates for popular build-tools such as: .NET, go, Gradle, Maven, npm, NuGet, Pip, Pipenv, and Yarn. Each template provides JFrog functionalities for setting up your security and build integrations.

For example, the “audit” templates provide you with the ability to scan your source code for security vulnerabilities and license compliance issues.

default:
  image: maven:3.8.6-openjdk-11-slim

include:
  - remote: "https://releases.jfrog.io/artifactory/jfrog-cli/gitlab/v2/.setup-jfrog-unix.yml"
  # For Windows agents:
  #- remote: "https://releases.jfrog.io/artifactory/jfrog-cli/gitlab/v2/.setup-jfrog-windows.yml"


jfrog-maven-audit:
  script:
    - !reference [.setup_jfrog, script]

    # Configure JFrog Artifactory repositories
    - jf mvn-config --repo-resolve-releases $ARTIFACTORY_VIRTUAL_RELEASE_REPO --repo-resolve-snapshots $ARTIFACTORY_VIRTUAL_SNAPSHOT_REPO

    # Audit Maven project
    - jf audit

  after_script:
    # Cleanup
    - !reference [.cleanup_jfrog, script]

Full code here >

Learn more about scanning dependencies in your sources >

How to use the templates

Copy the template to your GitLab repository, modify as needed, set the GitLab CI/CD variables (as described in the installation section) and you’re ready to run the pipeline!

How it works

The include statement, at the beginning of each template, adds an initialization script to your pipeline that enables quick and easy access to many JFrog Platform features. Referencing the .setup_jfrog script in a pipeline job does the following:

  • Installs JFrog CLI
  • Configures JFrog CLI to work with the JFrog Platform
  • Sets the build name and build number values to allow publishing build-info to Artifactory
  • Optionally replaces the default Docker Registry with an Artifactory Docker Registry

Read a customer’s own account of how they seamlessly integrated the JFrog CLI with their Gitlab CI.

Discover the JFrog Platform

Whether you’re working with containers, packages, libraries, or any other type of binary file, JFrog Artifactory has you covered. As an industry standard, Artifactory serves as the backbone of your DevOps environment, providing software developer teams with a centralized place to store, manage and distribute binary artifacts.

Fully integrated with popular CI/CD tools, including GitLab CI, Artifactory makes it easy to manage all your binary artifacts in a single, centralized, universal repository, eliminating the need to use multiple tools for different types of binary files, streamlining your software release process and reducing the risk of errors. Critically, Artifactory is built for scale.

When it comes to securely managing the lifecycle of software artifacts, you need a true supply chain management solution that focuses on the asset that runs in production – the software binary.

Unique JFrog Platform capabilities include proxying and caching 3rd party packages for consistent, reliable access even across remote locations, as well as enterprise grade support for over 30 package types, multi-site support, continuous security monitoring focused both on source code and binaries, prioritization of long lists of vulnerabilities, actionable policies, and a guaranteed uptime SLA in the cloud that you can rely on.

More Developer Tools

We’re excited to make the JFrog Templates Gallery and the following open source tools available for developers to use and get started with:

  • JFrog Frogbot –  An automatic pull request security vulnerability scanning in Git.
  • JFrog IDE integrations – Developer plugins and extensions, including VS Code, IntelliJ IDEA, Eclipse and more, enabling developers to discover and remediate security vulnerabilities early on in the development stage.
  • JFrog Build Integrations – Developer plugins and extensions, including JenkinsCI, GitHub Actions, Azure DevOps, Bamboo and more, enabling developers through integration to CI systems.

As always we’re happy to help! The JFrog GitLab templates repository is open source; your contribution is always welcome. Submit your pull requests and engage with us by opening issues.