The Power of Evidence Collection and Release Lifecycle Management
Ensure the integrity of your software releases with JFrog’s Release Lifecycle Management and Evidence Collection capabilities
The speed of today’s software development lifecycle is only getting faster. However, the complexity of today’s pipelines make it hard to track and manage the processes software releases must go through. With increasing regulatory pressures, ensuring and proving your software has gone through the necessary quality controls is no longer nice to have – it has become a necessity. JFrog’s Release Lifecycle Management and new Evidence Collection capabilities enable software organizations to adopt a modern, controlled approach to managing software build promotion that instills trust in your releases.
Trust the contents and processes of your releases
Everything done throughout your software development process creates evidence necessary to attest to the contents, quality, and security of the software you’re releasing. Security scans, code commits, build results, SBOMs, integrations tests, jira tickets, promotions – and more. But how do you capture this vital attestation information and manage that data so it is available, auditable and actionable?
JFrog serves as the single source of truth for what’s moving through any software factory. With Evidence Collection we now enable organizations to collect signed evidence of any process taken to mature your software and store it against packages, builds, and immutable Release Bundles.
Below is an example of script to run an integration test and attach the result as evidence as part of a CI step:
- name: Integration Test
run: |
source scripts/itest.sh
iTest ${{ vars.VERSION }} > itest_results.json
cat itest_results.json
# Check if there are any failed tests in itest_results.json
if grep -q '"status": "failed"' itest_results.json; then
exit 1
fi
JF_LINK="${{ vars.JF_URL }}/ui/artifactory/lifecycle/?bundleName=${{ vars.BUNDLE_NAME }}&bundleToFlash=${{ vars.BUNDLE_NAME }}&releaseBundleVersion=${{ vars.VERSION }}&repositoryKey=release-bundles-v2&activeVersionTab=Version%20Timeline&activeKanbanTab=promotion"
echo "Test on Release bundle [${{ vars.BUNDLE_NAME }}:${{ vars.VERSION }}](${JF_LINK}) success" >> $GITHUB_STEP_SUMMARY
jf evd create \
--release-bundle ${{ vars.BUNDLE_NAME }} \
--release-bundle-version ${{ vars.VERSION }} \
--predicate ./itest_results.json \
--predicate-type https://jfrog.com/evidence/integration-test/v1 \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias CI-RSA-KEY \
--project ${{ vars.PROJECT }}
echo " Evidence attached: integration-test " >> $GITHUB_STEP_SUMMARY
Evidence graph showing all the evidence attached to a Release Bundle
Release Bundles are a central component of JFrog’s Release Lifecycle Management, representing an immutable, multi-technology snapshot of all the packages and components that make up a piece of software – more specifically – your release candidates. Release Bundles are moved as a single unit across the environments in your SDLC, ensuring they can’t be altered at any time and no artifacts or packages are left behind during promotion.
Immutable Release Bundle contents
With evidence collected against a Release Bundle, organizations can define and enforce who, how, and what evidence must be present in order to move that Release Bundle from one stage of the SDLC to another.
For example, an organization may wish to require that in order to move any Release Bundle from QA to Staging a release candidate must have evidence of a successful Integration Test and no Critical CVEs. With just a couple steps in your CI, the required evidence validation and promotion will occur automatically based on query results from the JFrog Platform.
Here is an example of a script for running a policy before promoting a Release Bundle to production as part of your CI:
- name: Call GraphQL
run: |
./scripts/graphql.sh \
${{ vars.JF_URL }} \
${{ secrets.ARTIFACTORY_ACCESS_TOKEN }} \
${{ vars.PROJECT }}-release-bundles-v2 \
${{ vars.BUNDLE_NAME }} \
${{ vars.VERSION }}
cat evidence_graph.json
- name: Run policy
id: run_policy
run: |
result=$(opa eval \
--input ./evidence_graph.json \
--data policy/policy.rego "data.greenpizza.output" |
jq '.result[0].expressions[0].value.approved')
echo "RESULT=$result" >> $GITHUB_ENV
- name: Promote to Production
run: |
if [ "${{ env.RESULT }}" == "true" ]; then
opa eval \
--input ./evidence_graph.json \
--data policy/policy.rego "data.greenpizza.output" |
jq '.result[0].expressions[0].value' > policy.json
cat policy.json
jf evd create \
--key "${{ secrets.PRIVATE_KEY }}" \
--key-alias CI-RSA-KEY \
--release-bundle ${{ vars.BUNDLE_NAME }} \
--release-bundle-version ${{ vars.VERSION }} \
--project ${{ vars.PROJECT }} \
--predicate ./policy.json \
--predicate-type https://jfrog.com/evidence/approval/v1
jf release-bundle-promote \
${{ vars.BUNDLE_NAME }} \
${{ vars.VERSION }} \
PROD \
--signing-key PGP-RSA-2048 \
--project ${{ vars.PROJECT }}
echo " Successfully promoted to 'PROD' environment" >> $GITHUB_STEP_SUMMARY
else
opa eval \
--input ./evidence_graph.json \
--data policy/policy.rego "data.greenpizza.output" |
jq '.result[0].expressions[0].value'
echo "Fail promotion policy check"
exit 1
fi
Even the promotion action itself is important quality control evidence that is stored against the Release Bundle.
With immutable release candidates advanced towards production based on the presence of attestation evidence, organizations can be sure that all software has gone through the required processes, meet appropriate standards, and the releases haven’t been tampered with on the way.
Simplified Release Auditing
If you’re in an industry or region that requires providing proof of the actions you’ve taken to mature software, then you probably care about being able to audit your release process. With JFrog’s evidence collection capabilities, you can attach evidence of any completed process taken against the release from the early stages of the release candidate build step.
All the attestation and process evidence related to a release is stored against the Release Bundle, allowing for single query auditing. If you’re still easing your way into using Release Bundles, you can still attach evidence to a build output or artifact and query that evidence.
Audit trail of a release version that was approved for production
Visibility of every release candidate version in one place
Promoting software with Release Lifecycle Management offers full control and visibility over your release process. You can track and understand where every candidate is in your release pipelines and provide that visibility to the appropriate stakeholders based on their relevant projects. If a release candidate fails, you can identify where it failed so the team can triage and try again with a new release candidate.
Snapshot of release candidates advancing through release pipelines
Governance that balances flexibility and control
The software release process is not a “one size fits all” approach. Development teams have their own pipelines and processes, so trying to force them into standardizing on a single pipeline not of their own design will likely backfire. Release Lifecycle Management allows teams to maintain their own unique release pipelines, but still manage them in one place to enforce maximum organizational standards and guardrails with minimum interference to development operations.
Get started today!
Want faster release deployment, enhanced control, and improved security? Upgrade your CI/CD process with JFrog’s Release Lifecycle Management capabilities and Evidence Collection and see the difference it makes! To learn more, join our live Release Lifecycle Management and Evidence collection, register now for master class.
Register for the Masterclass
To give Evidence Collection and Release Lifecycle Management a try before implementing in your production environment, you can start a 14-day free trial and use our quick start patterns to experience Release Lifecycle Management first hand in less than 15 minutes. Feel free to speak to a specialist from the JFrog team for more information.