Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >

Search





Overview

JFrog brings continuous integration to Azure DevOps through the JFrog Extension. 

 The JFrog extension for Azure DevOps supports:

  • Running your builds while using JFrog Artifactory as the binary repository manager
  • Gaining full traceability of your builds by capturing your build-info from your builds and publishing it to JFrog Artifactory
  • Managing your binaries lifecycle with JFrog Artifactory
  • Auditing your projects and scanning your builds with JFrog Xray
  • Distributing your buil artifacts with JFrog Distribution.

Source Code

The extension is an open-source project on GitHub which you can freely browse and fork.


Installation and Setup

Installing the Extension

The JFrog extension for Azure DevOps is available in the Visual Studio Marketplace.

To install the JFrog extension, execute the following steps:

  • Go to the Visual Studio Marketplace and sign in to your account.*
  • Select the JFrog extension located in the Build and Release section

  • In the JFrog Extension page, click Install.
  • Select the account to which you want to apply the extension and confirm installation.

Installing the Build Agent

General

To run the JFrog tasks, the build agents use three tools: 

  • JFrog CLI: Runs all the JFrog tasks.
  • Maven Extractor: Runs the JFrog Maven task.
  • Gradle Extractor: Runs the JFrog Gradle task.
  • Conan client:  Runs the JFrog Conan task.

Running Artifactory Conan tasks

Any structure on your agent's file. The JFrog Conan task uses the Conan client. The Conan client cannot be installed using the Automatic Installation or the JFrog Tools Installer but is required to be manually installed. To install Conan on an agent, read the "Install Conan" section under Manual Installation.

The tools can be installed on the build agents using one of the following methods.

Page Contents

Automatic Installation

If the build agent has access to the internet, JFrog CLI along with the Maven and Gradle Extractors are downloaded and installed automatically on the agent, the first time they are required.

JFrog Tools Installer

If your agent has no internet access, you can configure the pipeline to download JFrog CLI and the Maven Extractor from a JFrog Artifactory instance, which is configured to proxy the download repositories. 

  • Create two remote repositories in Artifactory:
  • Create a remote repository in Artifactory for downloading JFrog CLI. Name the repository jfrog-cli-remote and set its URL  to https://releases.jfrog.io/artifactory/jfrog-cli/v2-jf/
  • Create a remote repository in Artifactpry for downloading the Maven and Gradle Extractors. Name the URL extractors and set its URL to: https://releases.jfrog.io/artifactory/oss-release-local/
  • Make sure to configure the Artifactory server with the jfrog-cli-remote and extractors repositories in as a service connection in Azure DevOps of type JFrog Artifactory V2.

             

  • Add the JFrog Tools Installer task to your build or release pipeline.
  • Select the Artifactory service you configured.
  • Select jfrog-cli-remote as the target repository to download the JFrog CLI .
    If your pipeline uses the JFrog Maven or JFrog Gradle tasks, select extractors as the repository to download the Maven Extractor.

           

Manual Installation 

Installing JFrog CLI

The extension runs JFrog CLI in the background to run many of its operations. The extension automatically downloads and installs the JFrog CLI on the build agent the first time it's required. However, if your build agent does not have access to the internet, the build will fail when attempting to download JFrog CLI and you'll need to download and install it manually.

To install JFrog CLI on an agent with no internet access:

  1. Create the directory structure on your agent's file-system: $(Agent.ToolsDirectory)/_jf/current/.
  2. Download the latest JFrog CLI version from here. Please make sure to download the executable matching your agent's operating system. Make sure to download the jf executable of JFrog CLI and not the legacy jfrog executable.
  3. Copy the downloaded jf executable to the current directory you created.
Installing the Maven Extractor 

When triggering the JFrog Maven task, JFrog CLI automatically downloads the Maven Extractor jar to the build agent the first time it's required. However, if your build agent does not have access to the internet, the build will fail when attempting to download the file. You'll therefore need to download and install it manually.

To install the Maven Extractor jar on an agent with no internet access:

  1. Create the directory structure on your agent's file-system: $(Agent.ToolsDirectory)/_jf/.jfrog/dependencies/maven/2.28.6
  2. Download the build-info-extractor-maven3-2.28.6-uber.jar and place it inside the "maven" directory you created.
Installing the Gradle Extractor 

When triggering the JFrog Gradle task, JFrog CLI automatically downloads the Gradle Extractor jar to the build agent the first time it's required. However, if your build agent does not have access to the internet, the build will fail when attempting to download the file. You'll therefore need to download and install it manually.

To install the Gradle Extractor jar on an agent with no internet access:

  1. Create the directory structure on your agent's file-system: $(Agent.ToolsDirectory)/_jf/.jfrog/dependencies/gradle/4.24.12
  2. Download the build-info-extractor-gradle-4.24.12-uber.jar and place it inside the "gradle" directory you created.
Installing Conan

For the build agent to be able to run conan builds, do the following:

  1. Access the agent and install conan by following these steps.
  2. Confirm that the conan executable is available in the Path environment variable of the user which runs the build on the agent.

Using TFS 2015

Prerequisites

Node.JS version 8 and above

The build agent requires using Node.JS version 8 and above. To check which version of Node.JS is running on the build agent:

  1. Navigate to the Worker\Handlers\Node folder located under theAgent home.
  2. From the terminal, run node -v.


To upgrade Node.JS on the build agent:

  • Replace the existing node.exe file on the agent with the node.exe file with the required version located in the Worker\Handlers\Node folder under the agent home.

Configuring the Service Connections

To allow the JFrog tasks to work with your JFrog environment, you'll need to configure the following service connections in Azure DevOps.

Service connectionUsed by tasks

 

  • JFrog CLI V2

  • JFrog Tools Installer
  • JFrog Generic Artifacts
  • JFrog Nuget
  • JFrog .NET Core
  • JFrog npm
  • JFrog Pip
  • JFrog Maven
  • JFrog Gradle
  • JFrog Go
  • JFrog Conan
  • JFrog Collect Build Issues
  • JFrog Disacrd Builds
  • JFrog Build Promotion
  • JFrog Publish Build Info

 

  • JFrog Audit
  • JFrog Build Scan

  • JFrog Distribution


Not Using a Public CA (Certificate Authority)?

This section is relevant for you, if you're not using a public CA (Certificate Authority) to issue the SSL certificate used to connect to your JFrog instance domain. You may not be using a public CA either because you're using self-signed certificates or you're running your own PKI services in-house (often by using a Microsoft CA).

In this case, you'll need to make those certificates available for JFrog CLI, which is used by most of JFrog tasks. To make the certificates available for JFrog CLI, you'll need to place them inside the security/certs directory, which is under JFrog CLI's home directory. The home directory default location is $(Agent.ToolsDirectory)/_jf/

Read more about this in the JFrog CLI documentation.

Can't Access your JFrog instance?

For security reasons, the JFrog SaaS service supports only TLS 1.2. Since not all TFS versions support TLS 1.2, you may need to enable TLS 1.2 on TFS.

To enable TLS 1.2 on TFS:
1. Create a file and name and name it: Microsoft.PowerShell_profile.ps1
2. Add the following line to the file:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12

3. Place the file in the following location on the TFS machine: C:\Users\<username>\Documents\WindowsPowerShell

Make sure <username> matches the name of the user running TFS and the build agents.

Managing Generic Artifacts

The JFrog Generic Artifacts task supports following operations with JFrog Artifactory:

  • Uploading artifacts to Artifactory
  • Downloading artifacts from Artifactory
  • Copying artifacts in Artifactory
  • Moving artifacts in Artifactory
  • Deleting artifacts in Artifactory
  • Setting properties on artifacts in Artifactory
  • Deleting properties from artifacts in Artifactory

The task triggers JFrog CLI to perform these actions using File Specs. When the task is used for uploading and downloading artifacts, it can also be configured to capture the build-info, which can be later published to Artifactory using the JFrog Publish Build Info task.

When configuring the task, do the following:

  1. Select your configured JFrog Artifactory V2 service connection.
  2. Specify whether you'd like define the File Spec through the task UI or have the task read the spec from a file.
  3. Set the File Spec content or a path to the File Spec.
  4. Set the other task options.
  5. Check the Advanced section for additional options.

Triggering Builds

You can trigger the following builds.

Triggering Maven Builds

The JFrog Maven task allows triggering Maven builds, while resolving dependencies and deploying artifacts from and to Artifactory. The task uses the configured JFrog Artifactory V2 service connection.

The task can also be configured to capture build-info and store the downloaded and uploaded artifacts as build dependencies and build artifacts. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

You also have the option of filtering out some of the Maven artifacts that will be deployed to Artifactory. You do this by defining one or more include patterns. You can also define one or more exclude patterns. The patterns can include wildcards and should separated by a comma followed by a white-space as shown below.

For more information about Maven repositories, see Artifactory Maven Repository.


Triggering Gradle Builds

The JFrog Gradle task allows triggering Gradle builds, while resolving dependencies and deploying artifacts from and to Artifactory. The task uses the configured JFrog Artifactory V2 service connection.

The task can also be configured to capture build-info and store the downloaded and uploaded artifacts as build dependencies and build artifacts. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

Behind the scenes, the JFrog Gradle task uses the Gradle Artifactory Plugin to integrate with the Gradle build. In case your Gradle script already applies the Gradle Artifactory Plugin, set the Use Artifactory Plugin option, to let the task know that it shouldn't apply the plugin in the Gradle script.

You should set artifactoryPublish as one of the Gradle tasks in the Task(s) fields. artifactoryPublish is a task that is exposed by the Gradle Artifactory Plugin, and is used for deploying artifacts as well as publishing build-info to Artifactory.

Triggering Npm Builds

The JFrog Npm task allows triggering npm builds, while resolving npm dependencies and deploying npm packages from and to Artifactory. The task uses the configured JFrog Artifactory V2 service connection.

The task can be also configured to capture build-info and store the uploaded files as artifacts in it. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

For information on npm repositories, see Artifactory npm Registry.

Triggering Nuget and .NET Core Builds

The JFrog Nuget and JFrog .NET Core tasks allow restoring NuGet packages from Artifactory. These tasks also allow publishing NuGet packages to Artifactory. The task uses the configured JFrog Artifactory V2 service connection. The tasks can be configured to capture build-info. The build-info stores the restored packages as build dependencies and uploaded packages as build artifacts. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

For more information about Nuget repositories, see Artifactory NuGet Repositories.

Triggering Python Builds Using Pip

The JFrog Pip task allows installing Pip packages from Artifactory. The task uses the configured JFrog Artifactory V2 service connection. The tasks can also be configured to capture build-info. The build-info stores the installed packages as build dependencies. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

Recording all dependencies as part of the build-info

When running the JFrog Pip task inside a Python environment, which already has some of the packages installed, the installed packages will not be included as part of the build-info, if they were not originally installed from Artifactory. A warning message will be added to the build log in this case.

How to include all packages in the build-info?

Running the task for the first time with the Disable local pip cache option checked, should re-download and install these packages, and they will therefore be included in the build-info. It is also recommended to run the command from inside a virtual environment. The Virtual environment setup command field allows this.

 

Behind the scenes, the task uses JFrog CLI as a wrapper for pip. JFrog CLI also includes a caching mechanism, which stores the details of the dependencies locally, making sure they are included in the build-info, even if they are already cached locally. Read more about this here.

Triggering Conan Builds

Conan is a package manager for C and C++.

The JFrog Conan task allows triggering a conan build while resolving conan dependencies from a conan repository in Artifactory. The task uses the configured JFrog Artifactory V2 service connection. It also allows publishing conan packages to an Artifactory conan repository. The task can be also configured to capture build-info and store the downloaded and uploaded packages as build dependencies and artifact. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

The tasks supports the config installadd remotecreate and upload conan commands. In addition, it supports a custom option, allowing to configure the task to execute any conan command. The full documentation of cona is available at the conan web site.


For more information about Conan repositories, see Artifactory Conan Repositories.

Triggering Go Builds

The JFrog Go task allows triggering a go build, while resolving go dependencies from a go repository in Artifactory. The task uses the configured JFrog Artifactory V2 service connection. It also allows publishing go packages to an Artifactory go repository. The task can be also configured to capture build-info and store the downloaded and uploaded packages as build dependencies and artifact. The captured build-info can be later published to Artifactory using the JFrog Publish Build-Info task.

For more information about Go repositories, see Artifactory Go Repositories.

Collecting Build Issues

Being able to look at the build which was published to Artifactory, and see all JIRA issues associated with it, is one of the most powerful capabilities of Artifactory when it comes to managing metadata about artifacts builds.

The JFrog Collect Build Issues task collects the list of tracked project issues (for example, issues stored in JIRA, GitHub or any other bug tracking systems, and adds these issues to the build-info. The task uses the configured JFrog Artifactory V2 service connection. The issues are collected by reading the git commit messages from the local git log. Each commit message is matched against a pre-configured regular expression, which retrieves the issue ID and issue summary. The information required for collecting the issues is retrieved from a yaml configuration, which is set as part fo the task. 

Here's the yaml configuration structure.

version: 1
issues:
  trackerName: JIRA
  regexp: (.+-[0-9]+)\s-\s(.+)
  keyGroupIndex: 1
  summaryGroupIndex: 2
  trackerUrl: http://my-jira.com/issues
  aggregate: true
  aggregationStatus: RELEASED
Configuration properties

Property name

Description

VersionThe schema version is intended for internal use. Do not change!
trackerNameThe name (type) of the issue tracking system. For example, JIRA. This property can take any value.

regexp

A regular expression used for matching the git commit messages. The expression should include two capturing groups - for the issue key (ID) and the issue summary. In the example above, the regular expression matches the commit messages as displayed in the following example:

HAP-1007 - This is a sample issue

keyGroupIndex

The capturing group index in the regular expression used for retrieving the issue key. In the example above, setting the index to "1" retrieves HAP-1007 from this commit message:

HAP-1007 - This is a sample issue

summaryGroupIndex

The capturing group index in the regular expression for retrieving the issue summary. In the example above, setting the index to "2" retrieves the sample issue from this commit message:

HAP-1007 - This is a sample issue

trackerUrlThe issue tracking URL. This value is used for constructing a direct link to the issues in the Artifactory build UI.

aggregate

Set to true, if you wish all builds to include issues from previous builds.

aggregationStatus

If aggregate is set to true, this property indicates how far in time should the issues be aggregated. In the above example, issues will be aggregated from previous builds, until a build with a RELEASE status is found. Build statuses are set when a build is promoted using the jfrog rt build-promote command.


The yaml configuration can be either be stored as text as part of the task configuration, or stored in a file. The file can be saved in the source control, and fetched, together with the rest of the sources to the build agent. It can then be accesses and used by this task. 


Publishing Build Info to Artifactory

Most of the JFrog tasks can be configured to collect and store build-info locally. The task uses the configured JFrog Artifactory V2 service connection. The collected build info can be then published to Artifactory using the JFrog Publish Build Info task.

For more information about Build Info, see Artifactory Build Integration.

When configuring the task, select your configured Artifactory service endpoints and specify whether you'd like to collect environment variables from the agent and add them to the build-info.

After the build-info is published to Artifactory, it can be accessed from the Artifactory tab in the Build Results.

Promoting Published Builds in Artifactory

To support the artifacts life-cycle, Artifactory supports promoting published builds from one repository to another.

The JFrog Build Promotion task promotes a build, by either copying or moving the build artifacts and/or dependencies to a target repository. 
This task can be added as part of a Build or Release pipeline.

Run these steps to configure the JFrog Build Promotion task:

  1. Select the configured JFrog Artifactory V2 service connection, to which the build has been published.
  2. Specify the name of a Target repository to which the build should be promoted.
  3. Set the Status of the build and optionally add a Comment. These details will be visible as part of the Build History in the Artifactory UI.
  4. (Optional) Set a Source repository for the promotion. 
  5. Unselect the Copy/move build dependencies field to move or copy only the build artifacts the target repository.
  6. To copy and not to move the artifacts to the target repository, select the Copy artifacts option to copy the artifacts to the target repository.
  7. Select Dry run to test the promotion prior to running the build promotion.

BuildInfo

Using Build Promotion in a Release

You can control the life cycle of your artifacts by promoting them from one Artifactory repository to another. Build Promotion can come in handy when embedding it as part of release pipeline in Azure DevOps. To help you achieve this, follow these steps for creating a release which includes the JFrog Build Promotion task.

  1. Create a new Release.
  2. Click Environment and select a template for the release.
  3. Click Artifact and select Build as the source type.
  4. Fill out the rest of the form details.
  5. If you'd like this release to always use the latest build from Artifactory, select Specify a specific build number as the Default version and select one of the available build number i the Build number list box.
  6. If you'd like to promote a specific build number during the release, select Specify at the time of release creation as the Default version:
  7. If you wish to promote the latest build number, select Specify a specific build number as the Default version and then select any build number. Then, click on the Variables tab and add the ARTIFACTORY_RELEASE_BUILD_NUMBER pipeline variable with LATEST as the value.
  8. Configure the Artifactory Build Promotion task as one of your release pipeline tasks. 
    The task uses a build number which will be selected later on, upon creating a release.
  9. That's it, you're done!
    Now you can create the release. The build number that you'll choose is that one which will be promoted in Artifactory.

Audit Project for Security Vulnerabilities with JFrog Xray

The JFrog Audit task triggers an audit of your project dependencies for security vulnerabilities with JFrog Xray. The task uses the configured JFrog Xray V2 service connection. The scan is synchronous, meaning the tasks waits for the scan to finish.

To determine the policy for identifying the vulnerabilities, you can either set a list for Xray Watches or select a JFrog Project or path in Artifactory associated with the policy.

Scanning Published Builds for Security Vulnerabilities with JFrog Xray

The JFrog Xray Scan task allows triggering a build scan with JFrog Xray. For the build to be scanned, it first needs to be published to Artifactory using the JFrog Publish BuildInfo task. The task uses the configured JFrog Xray V2 service connection. When the scan is triggered, Xray starts scanning the build artifacts and dependencies. The scan is synchronous, meaning the tasks waits for the scan to finish.

If the Allow fail build task option is set and Xray is configured to fail the build, the build pipeline will fail, if vulnerabilities are found.

After the Xray scan is completed, a vulnerabilities table is printed to the task run logs, along with a link to the build-info report.


Using Published Artifacts in a Release

Artifacts which were published to Artifactory can be made available for a Release Pipeline. There are two ways to achieve this.

The first way is to  use the Artifactory Download task to download the files during the release. Read more about this in the Downloading Generic Dependencies from Artifactory section.

You can also set Artifactory as an artifact source for the release. This allows downloading the artifacts for a build which was previously published to Artifactory. Read more about publishing builds to Artifactory in the Publishing Build Info to Artifactory section.

Follow these steps to add Artifactory as an artifact source to a Release.

  1. Create a new Release and click on Artifacts | Add




  2. Select the Artifactory source type.




  3. Select an Artifactory service, a build name, and the default version to use.




    That's it! You're done.
    Now, when initiating the Release, the artifacts associated with the defined build are downloaded to the release agent.

Discarding Published Builds from Artifactory

To discard old runs of a build from Artifactory, add the JFrog Discard Builds task to the pipeline.

Run these steps to configure the task.

  1. Select the configured JFrog Artifactory V2 service connction, on which you'd like the builds to be discarded.
  2. Type the name of the build.
  3. Optionally set the maximum days to keep build runs. Build runs which are older will be discarded.
  4. Optionally set the maximum number of builds to keep.
  5. Optionally set of build runs in the form of 10,11,12,... to keep and not to discard.
  6. Check the Delete artifacts checkbox, to also delete the build artifacts and not only the build meta-data.
  7. Check the Async checkbox, to make the action asynchronous. In this case, the pipeline will not wait for the action to finish, but the pipeline will not be notified in case of a failure.

Managing and Distributing Release Bundles

JFrog Distribution is a centralized platform that lets you provision software release distribution. It is a core part of JFrog Enterprise+, managing Release Bundles and their distribution processes, including release content, permission levels, and target destinations. Distribution provides a secure and structured platform to distribute release binaries to multiple remote locations and update them as new release versions are produced. As part of the release flow, release bundles are verified by the target destination to ensure that they are signed correctly and safe to use. 

The JFrog Distribution task allows creating, updating, signing and deleting release bundles. It also allows distributing the release to the edge nodes.

  • The task requires configuring your JFrog Distribution V2 instance as a service connection in Azure DevOps. You can then set the instance you configured as the Distribution service value in the task.
  • The task triggers JFrog CLI to execute the distribution actions.
  •  When creating or updating a release bundle, you need to provide File Specs defining  the artifacts to be included in the release bundle.
  • When distributing a release bundle, you can control the distribution destinations by defining rules distribution rules in a JSON format. Here's an example. 

    Distribution Rules JSON structure
    {
        "distribution_rules": [
          {
            "site_name": "DC-1",
            "city_name": "New-York",
            "country_codes": ["1"]
          },
          {
            "site_name": "DC-2",
            "city_name": "Tel-Aviv",
            "country_codes": ["972"]
          }
        ]
    }

    The Distribution Rules format also supports wildcards. For example: 

    {
        "distribution_rules": [
          {
            "site_name": "*",
            "city_name": "*",
            "country_codes": ["*"]
          }
        ]
    }


Executing JFrog CLI Commands

The extension support a generic JFrog CLI task, named JFrog CLI V2, which allows executing JFrog CLI commands. The command will use the connection details provided by the selected JFrog Platform service connection configured in Azire DevOps, so there's no need to provide the connection details as command options.

Release Notes

2.1.0 (March 28th, 2022)
  1. Support Nuget protocol configuration on Dotnet tasks.
  2. Support custom working directory on JFrog CLI V2 task.
  3. Improve sync deletes flow in JFrog Generic Task by removing a redundant checkbox.
  4. Bug fix: custom working directory on Audit task is not used.
  5. Bug fix: Compatibility issue with Azure DevOps Server.
2.0.3 (January 19th, 2022)
  1. Bug fix: Use flat upload for Nuget and .NET publish tasks.
2.0.2 (January 12th, 2022)
  1. Bug fix: Remove dash from a visible rule that failed verification on Azure Server.
  2. Bug fix: Conan - Show Artifactory Connection Service on "Add remote" only.
2.0.1 (January 2nd, 2022)
  1. Initial release
  • No labels
Copyright © 2022 JFrog Ltd.