<aside> 💡 This is not for advertising purposes, but for recommendation only.A good product should be known by everyone.

</aside>

An Introduction

Artifactory is powered by JFrog.This tool is for housing and managing all kinds of software artifacts. Currently, it supports most mainstream programming languages. Today, I won't go into detail about it. Instead, I'll introduce some things that impressed me the most.

Installation

Currently, there are two installation options available: using a Docker container or using VMs. Even if you are an expert in Kubernetes, a Helm chart is provided to help you get started quickly.

For the POC environment, I use Docker Compose and then switch to the Helm Chart for the production environment. Our pricing plan is "PRO X," which is sufficient for our current business needs. However, it is significantly more expensive compared to Nexus. "PRO X" includes an X-ray component that scans for software vulnerabilities. If you prefer not to use it, you can simply purchase "PRO."

Before you proceed with the installation, there are some important reminders:

• If you host your service in AWS, you can use S3 as a file storage solution. This way, you can leverage S3's features and abilities to accelerate your file transformation. (Ali OSS is not supported.)
• Artifactory and X-ray rely on some middleware, such as PostgreSQL, MQ, etc. In the Helm chart, you have the option to deploy middleware at the same time or use existing middleware.
• The Helm chart contains all components. You can edit the values.yaml file to choose which components to deploy.
• When utilizing Kubernetes on a cloud vendor, it is imperative to implement a loadBalancer to prevent any potential traffic congestion that could negatively impact your business operations.

Use Experiences

When discussing experiences, it is important to compare it with Nexus, which is the most popular artifact management tool. But from my personal perspective, I prefer Artifactory. First and foremost, it provides a better appearance and a more user-friendly interaction. As for basic functionalities and features, both of them are sufficient for the company.

But I've always hated the way permissions are designed. It's weird, and I've been struggling with authorization across the entire platform. Even official documents don't provide examples of common scenarios or best practices.

X-ray

I believe that X-ray is a highlight of JFrog, especially given the increased focus on software security. However, X-ray does not account for cybersecurity and network attacks. It scans your software artifacts and audits software dependencies to identify any vulnerabilities. There is an open-source solution called https://github.com/aquasecurity/trivy. Although I don't have any personal experience with it, my friends have recommended it as a great alternative.

Integration With CI/CD

JFrog provides you jfrog-cli. So it’s easy for you integrate it into your CI/CD process. If the source code violates security compliance, the pipeline will break down. This is a mandatory constraint before software is rolled out. It also provides a webhook that will notify you if there are any issues.

There are two typical commands:

• scan: The 'scan' function is used to scan all files in a specific directory or a single file, and report any identified vulnerabilities. This is especially useful for jar files or docker images.