Solve the scalability and security challenges of exponential growth across teams, geographies and binaries erupting from the increased frequency of application releases.
JFrog Projects is a new way to manage software development projects and control resource consumption at scale for larger organizations with distributed teams. With JFrog Projects, development teams can now self-serve many of the day-to-day responsibilities of establishing permissions, managing storage thresholds or adding additional team members for themselves.
Remove the setup and configuration bottleneck with preassigned: repositories, builds, pipelines sources and pipeline integrations, for the duration of a software project.
Scaling Across Geography
Federated repositories empower geographically distributed teams to collectively share artifacts and their metadata through the JFrog Platform’s innovative, bidirectional mirroring topology.
Member repositories in multiple deployments can be logically joined to continuously synchronize in a global circle of trust. Federated repositories are simple to configure and manage, improving developer productivity, delivery speed, and cross-site security.
Enable a Zero-Trust Security framework to be constructed around service and tool integrations with your JFrog Platform instance.
Scoped tokens enable you to create security permissions and actions that fit the use cases for each specific integration. Have control over services including repository, builds, release bundles, reports and projects with read, write, delete, manage and execute actions.
Two use cases include; creating a token for a build tool that has Read and Write permissions for a path to a specific repository, or create a deployment tool token that only has Read permissions for release bundles.
Dependency Scanning – Git Repositories
We are extending our ‘Shift-Left’ security posture to include 3rd party dependency scanning directly from your Git repository. By using a JFrog CLI command you can connect directly to your Git repository and analyze the source code and files like the package json file to build a list of dependencies that you’re using in your applications.
Leverage the security policies within JFrog Xray to apply specific actions to different security scenarios. This feature enables you to identify and eliminate open source vulnerabilities as early in the development process as possible.
Signed Pipelines – Building Trust into the Software Supply Chain
Having finely tuned fidelity between what is running in production and what was tested and developed is a foundation of Signed Pipelines, which embeds security into the Software Development Lifecycle (SDLC) rather than layering it across the top.
Signed pipelines create trust in the binaries with new metadata, called PipeInfo, which contains the Software Bill of Materials (SBOM) for the release. This ensures the immutability of software as it progresses through the DEV, TEST, DEPLOY stages of your release lifecycle.
The SBOM is stored as a json file and is cryptographically signed for validation. With Signed Pipelines the promotion of the builds, release bundles, or deployments can be blocked if authenticity can not be verified. Gain visibility and auditability into each step of each pipeline run with comprehensive metadata for traceability through the entire software delivery supply chain.
Cold Artifact Storage
For many businesses with compliance or strict governance policies the long-term storage of software artifacts can be costly. In most cases these are forensic cases and may rarely need to access those artifacts on any regular pattern, but if a critical event does occur, they must still be accessible for analysis, versus deleting to save storage capacity.
With Cold Artifact Storage (CAS) the archived application can be searched and restored on demand by authorized personnel. Now managing the storage and relocation of archived artifacts just got less expensive.
|Software Composition Analysis (SCA) source scanning||Q2|
|Cold Artifact Storage||Beta|