JFrog at Capital One: Approved, Compliant Software Distribution at Enterprise DevOps Scale

JFrog User conference 2020


Capital One continuously innovates when it comes to enterprise DevOps patterns and compliance at scale.
During the recent swampUP 2020 conference, Wayne Chatelain, Sr. Manager, Software Engineer at Capital One, shared how they use the JFrog DevOps Platform to standardize on a central, production-approved software library – which Capital One calls the definitive library. This is the master copy of all software artifacts, both developed within the company and those sourced from 3rd-parties.

Compliant and Ready for Software Distribution

The definitive software library needs to be:

  1. Secured and compliant – passing Xray’s OSS security vulnerabilities and license checks, as well as Capital One’s extensive battery of further compliance checks.
  2. Vetted and approved for production use – ensuring only approved artifacts are used in the higher environments. 
  3. Drift-resistant: Capital One went the extra mile to eliminate drift — by making sure all production releases and environments use ONLY these approved artifacts. 
  4. Distributed to runtime infrastructure edges across the globe for faster deployments and easy consumption at the last-mile.
  5. Being kept fresh and up-to-date – validating all artifacts have recently passed the compliance checks and have not gone stale.
  6. Tightly integrated with their CI/CD pipelines and automatic compliance checks and processes.

Best Practices for a Production-Approved Software Library

During his talk, Wayne shared the capabilities of the JFrog Platform that Capital One leverages  Artifactory, Xray, JFrog Distribution, and Hybrid Edges — along with their architecture and the API calls that they use (taking advantage of JFrog’s extensive REST API, AQL and metadata capabilities) to achieve the below fully automated, end-to-end process for all builds:

  1. JFrog Distribution creates a Release Bundle (BOM) with all artifacts that need to be distributed.
  2. Capital One created a custom Certification API as part of their Distribution workflow. This API invokes custom rules and automated approval gates to determine if an artifact/build is approved for use. 
  3. All CI/CD pipelines automatically trigger these rules to certify every artifact/build. Certification checks can happen in parallel to other pipeline steps – such as performance/other tests. 
  4. Once an artifact has been certified, it is automatically published to Distribution Edge nodes, with validation that artifacts have reached their destination(s) and are available for download.
  5. Certified artifacts on production Edge nodes then get pulled by the deployment automation pipelines.
  6. To ensure curated artifacts remain in an approved state, Capital One automated the process of expiring old artifacts. This is done by automatically adding custom metadata to all artifacts in the certification process that indicate when they expire and need to be recertified again. 
  7. An automated process removes expired artifacts from Edge nodes, notifies artifact owners, or runs a new build cycle to produce a new artifact that goes through the certification process. They also detect when new versions of libraries are available and update old versions. 

Watch the Capital One Talk

Watch the recording of the swampUP talk to learn how you too can take advantage of the pattern shared by Capital One to create your own definitive software library for your organization.