January 2020 - Initial JFrog Platform GA

JFrog Hosting Models Documentation

Content Type
User Guide

This section describes the general availability release for the initial JFrog Platform, including the general and JFrog product-specific changes applied in the JFrog Platform for Cloud (SaaS) users.

  • JFrog Artifactory 7.0

  • JFrog Xray 3.0

  • JFrog Mission Control 4.0

  • JFrog Distribution 2.0

  • JFrog Pipelines 1.0

Advanced Cloud Environment Settings

Dedicated Cloud NAT IPs Used in the JFrog Platform

Cloud customers that have previously set up whitelisting on their external services (such as LDAP and SAML) to support communication between their external services and JFrog Cloud, need to update their Allow list according to this updated JFrog's Cloud NAT IP list.

Features and Functionality
Unified Experience

The user interface provides a consistent experience across all JFrog products. It is designed to support the most commonly used workflows, including improved package management, security and compliance, and package distribution, continuing to provide you with full flexibility. To support this experience the internal architecture (defined as a JPD) is designed to provide JFrog users with the same user experience across the JFrog products that have been installed.Artifactory System Requirements

To support the different user workflows, the UI is divided into two main modules:

  • Application Module providing an easy to use interface for viewing your packages, builds and artifacts in Artifactory. Including Xray security vulnerabilities and violations, Dashboard topology and trends, Distribution release bundles and Pipelines DevOps automation.

  • Administration Module providing a consolidated place for configurations of all JFrog products (common and product specific). Including centralized settings, such as monitoring (storage, replication, service status), security and compliance, proxies, license and user management. As well as, property sets, backups, indexed resources, database sync and webhooks.

Both modules include an advanced search mechanism.

Flexible Permissions Model

Administrators get fine-grained permissions control over how users and groups access the different resources (repositories, builds, Release Bundles, destinations).

Security and Compliance Across Your DevOps Pipeline

Fully integrated into the JFrog Platform, JFrog Xray protects your artifacts, repositories, builds and release bundles across the entire CI/CD pipeline.

  • Get JFrog's vulnerability database that is continuously updated with new component vulnerability data.

  • Identify security vulnerabilities and license violations according to your organization's needs. A dedicated Security and Compliance section in the UI allows you to set policies and watches on all your JFrog resources.

  • Configure watches and policies with the option to block artifact download, Release Bundle distribution to Edge nodes, and even break Builds.

  • Use advanced filtering that allows you to configure include /exclude patterns when setting indexed resources or when setting a Watch on the resources.

Secure Distribution Process

Manage the creation and distribution of Release Bundles to your Artifactory Edge Nodes. Gain better visibility and traceability into your distribution process with a complete view of all contents and package references of your Release Bundles.

User Interface

The following table is a quick reference to common functionalities in the JFrog Platform, including their new locations and any functional changes.

JFrog Product


Location in the New UI



Custom Base URL

Date Format

Look and Feel Settings

Custom Message

Administration module | General | Settings

Dedicated Artifactory Settings

Administration module | Artifactory

General: Settings, Property Sets

Services: Maven Indexer

Security: Anonymous access, Revoke API Keys, Signing Keys, Trusted Keys, Certificates


Xray Permissions

Administration module | Identity and Access | Permissions

As part of the JFrog Platform permissions unification, permission targets that were previously separated per product are now represented as one permission target with multiple permission options for the different JFrog products. Changes include:

  • Manage Components is now Manage Xray Metadata

  • View Components is now included in the Read permission

As part of the permission migration process:

  • Users/Groups with Xray Admin and Artifactory Admin permissions will be converted to Administrators in the JFrog Platform.

  • Users/Groups with only Xray Admin permissions will be converted to have Read, Manage, Manage Policies and Manage Watch permissions on all the resources.

Administration module | Identity and Access | Users

Administration module | Identity and Access | Groups

  • Manage Policies and Manage Watches are now a global permissions that are enabled on the user or group level. Previously this was a permission option in the permission target.

  • View Watches is now integrated with the Manage Watches global permission. It is not available as a separate permission.

Policies and Watches

Application module | Security & Compliance

  • Manually invoking a re-scan of a watch will apply on all resources defined in the watch. Previously you could set the re-scan on part of the resources.

Dedicated Xray Settings

Administration module | Xray

General: Indexed Resources, Webhooks, Integrations

Deprecated Features

JFrog Product



  • Licnese Control is deprecated. Its functionality is included in the Xray integration and provides richer information and support for additional package types.

  • Stash Search Results: allowing you to save your search results and go back to them later, has been removed.

  • HTTP Requests Are No Longer Supported: as part of hardening our cloud security policy in the JFrog Platform, we no longer support non-secure HTTP traffic requests and have enabled HSTS strict headers which will cause all HTTP requests (including browsers) to be automatically redirected to HTTPS.


    It is recommended to use all HTTPS for all your requests.

    Please note that you will receive a 308 response code if you still decide to use HTTP.

    Also, we deprecated the Legacy TLS 1.0 and 1.1 versions and it effectively enforces the cipher suite floor as well.


  • Out of the box integrations: with Aqua, WhiteSource and Black Duck, are deprecated. Custom integration are still available, supporting integrating to any external source of your choice. The VulnDB integration, now transparently integrated into Xray, provides the industry's most comprehensive security vulnerability database. This eliminates the need for these out of the box 3rd party integrations.

  • Xray Homepage: as part of the JFrog Platform UI unification, this page has been removed.


Internet Explorer

The Internet Explorer browser is not supported in the JFrog Platform. For a list of supported browsers, see Browsers.Supported Browsers

Breaking Changes



JFrog Artifactory

  • Viewing Packages/Builds/Release Bundles: The UI will only load only up to 100 results and up to 100 versions per package/builds/Release Bundle.

  • Removal of support for non-SNI clientsFor improved network security, support for non-SNI (Server Name Indication) clients is removed. If you are using HTTP clients that do not support SNI, your requests for download/upload will fail. To avoid failures, make sure to upgrade your clients to an officially supported version.

  • Required support for 302 HTTP RedirectsDownload requests using clients that do not support 302 redirects will fail in most cases for the following list of package types. To avoid failures, make sure to upgrade your clients to a version that supports 302 redirects.Docker, Debian, Npm, RPM, Generic, Bower, Composer, Conan, Cran, Git LFS, Gradle, Helm, Maven, Pypi and Vagrant.

    See example use case here . See list of approved client versions here.

  • Deprecated the artifactoryonline.com domain: Following previous notifications regarding the deprecation of the artifactoryonline.com domain, backward compatibility for the deprecated artifactoryonline.com domain will no longer be maintained. If you are still using artifactoryonline.com to access your cloud services, please make sure to use servername.jfrog.io/ instead.

  • Egress Traffic Whitelisting

    If you are limiting egress traffic from your network to JFrog Cloud services on AWS, or you have applied such a setting on any of your nodes that are accessing JFrog Cloud services, make sure to extend the list of whitelisted IPs to include theAWS S3 IP ranges.

    Continue to get updated with the latest AWS IP address range changes.

JFrog Xray

  • Component Search: searching for components that are not artifacts in your Artifactory instance, but are known to Xray as a result of its recursive scan capability. This functionality will be available in later JFrog Platform releases.

  • Xray Permissions

    • The Manage Watch permission is now available as a global permission on the user/group level. Previously manage watches was an option per permission target that was defined with a scope of resources. Now, users/groups with the Manage Watch permission will enable permissions for all resources. When upgrading to the JFrog Platform, the permission conversion will remove the Manage Watch permission for all users and groups. After upgrading, this permission will need to be reconfigured for all required users and groups. Defining a scope will be available in later JFrog Platform releases, as part of the Projects functionality.

    • The View Watches permission is deprecated. To view watches, enable the Manage Watches permission option for users/groups.

REST API Changes

New shared base url for all JFrog services

The JFrog Platform release introduces a new unified way to access all JFrog services using a single url, using the following format:

https://<Server Name>.jfrog.io/<Service Context>/

For example:

https://myservername.jfrog.io/artifactory/ https://myservername.jfrog.io/xray/

For backward compatibility, JFrog Artifactory and Xray will continue to work as before:

https://<Server Name>.jfrog.io/<Server Name> https://<Server Name>-xray.jfrog.io/

The following table summarizes the list of changes from previous JFrog products versions to the JFrog Platform.

JFrog Product





Create or Replace Permission TargetCreate or Replace Permission Target


Deprecated APIsDeprecated REST APIs

Ignore Xray AlertIgnore Xray Alert