Binary Lifecycle Management at Scale

Fully Trusted End-to-End Pipelines

Solve the scalability and security challenges of exponential growth across teams, geographies and binaries erupting from the increased frequency of application releases.

Scaling Teams


JFrog Projects is a new way to manage software development projects and control resource consumption at scale for larger organizations with distributed teams. With JFrog Projects, development teams can now self-serve many of the day-to-day responsibilities of establishing permissions, managing storage thresholds or adding additional team members for themselves.

Binary Lifecycle Management at Scale - Projects

Remove the setup and configuration bottleneck with preassigned: repositories, builds, pipelines sources and pipeline integrations, for the duration of a software project.

Scaling Across Geography

Federated Repositories

Federated repositories empower geographically distributed teams to collectively share artifacts and their metadata through the JFrog Platform’s innovative, bidirectional mirroring topology.

Binary Lifecycle Management at Scale - Federated Repositories

Member repositories in multiple deployments can be logically joined to continuously synchronize in a global circle of trust. Federated repositories are simple to configure and manage, improving developer productivity, delivery speed, and cross-site security.

Scaling Binaries

Scoped Tokens

Enable a Zero-Trust Security framework to be constructed around service and tool integrations with your JFrog Platform instance.

Scoped tokens enable you to create security permissions and actions that fit the use cases for each specific integration. Have control over services including repository, builds, release bundles, reports and projects with read, write, delete, manage and execute actions.

Binary Lifecycle Management at Scale - Scoped Tokens

Two use cases include; creating a token for a build tool that has Read and Write permissions for a path to a specific repository, or create a deployment tool token that only has Read permissions for release bundles.

Dependency Scanning – Git Repositories

We are extending our ‘Shift-Left’ security posture to include 3rd party dependency scanning directly from your Git repository. By using a JFrog CLI command you can connect directly to your Git repository and analyze the source code and files like the package json file to build a list of dependencies that you’re using in your applications.

Binary Lifecycle Management at Scale - Git Repository Dependency Scanning

Leverage the security policies within JFrog Xray to apply specific actions to different security scenarios. This feature enables you to identify and eliminate open source vulnerabilities as early in  the development process as possible.

Signed Pipelines – Building Trust into the Software Supply Chain

Having finely tuned fidelity between what is running in production and what was tested and developed is a foundation of Signed Pipelines, which embeds security into the  Software Development Lifecycle (SDLC) rather than layering it across the top.

Signed pipelines create trust in the binaries with new metadata, called PipeInfo, which contains the Software Bill of Materials (SBOM) for the release. This ensures the immutability of software as it progresses through the DEV, TEST, DEPLOY stages of your release lifecycle.

Binary Lifecycle Management at Scale - Signed Pipelines

The SBOM is stored as a json file and is cryptographically signed for validation. With Signed Pipelines the promotion of the builds, release bundles, or deployments can be blocked if authenticity can not be verified.  Gain visibility and auditability into each step of each pipeline run with comprehensive metadata for traceability through the entire software delivery supply chain.

Cold Artifact Storage

For many businesses with compliance or strict governance policies the long-term storage of software artifacts can be costly. In most cases these are forensic cases and may rarely need to access those artifacts on any regular pattern, but if a critical event does occur, they must still be accessible for analysis, versus deleting to save storage capacity.

With Cold Artifact Storage (CAS) the archived application can be searched and restored on demand by authorized personnel. Now managing the storage and relocation of archived artifacts just got less expensive.


JFrog Platform When
Projects Available
Federated Repositories Available
Scoped Tokens Q2
Software Composition Analysis (SCA) source scanning Q2
Signed Pipelines Q2
Cold Artifact Storage Beta


Release Fast Or Die