Cloud customer?
Start for Free >
Upgrade in MyJFrog >
What's New in Cloud >


This page describes the general and JFrog product-specific changes applied in the JFrog Platform for Cloud (SaaS) users. 

For a comprehensive list, see: Artifactory Release Notes | Xray Release Notes | Distribution Release Notes | Pipelines Release Notes | Mission Control Release Notes.

Unless otherwise stated, the updates below apply to all JFrog Cloud subscriptions.

February 28, 2023

MyJFrog Platform Updates

Generate an API Token in MyJFrog

You can now generate a token that will allow you to make changes to your JFrog account via REST API.

API Allowlist Management in MyJFrog

Added API endpoints that allow you to view, add, and delete IPs from your JPD IP allowlist through MyJFrog.

Checksum Replication API for Target Artifactory

Added a new checksumReplication API that allows you to set the checkBinaryExistenceAllowed flag at the target Artifactory so that only the metadata is replicated from the source Artifactory while the storage level synchronization replicates the artifacts. 

Monitoring Federated Repositories
Administrators can now monitor the status of Federated repositories. Administrators can see whether there are significant synchronization delays between the Federated repositories on the local JPD and other Federation members on remote JPDs. In addition, they can track the number of binaries that the JPD must fetch from other JPDs. For more information, see View Federation Sync Status.
Changing the Base URL for an Active Federation
It is not possible to change the base URL while the Federation that uses it is still active (see Change the Base URL in Federated Repositories).
New Swift Login Command
You can now access Artifactory via the Swift client using the new authentication command (see Configuring the Swift Client to Work Opposite Artifactory).
Force Authentication for P2 Virtual Repositories
It is now possible to Enable Forced Authentication for P2 virtual repositories.
New Release Bundle Retention Management
Added a new Release Bundle retention policy feature for Release Bundles received in Artifactory, which can be configured to run automatically or on-demand using a new set of REST APIs. 
Readme Tab in Package Information
The readme content of a package is now viewable directly from the WebUI for PyPI, npm, NuGet, Cargo, CRAN, Helm, and Swift.
New Custom Environments for Projects

Custom environments enable you to allocate repositories in ways that best serve the needs of your organization. Custom environments can be created at the global level, where they are available for users of all projects, or at the project level for the members of that project. At the project level, specific roles can be assigned to custom environments, which enable you to implement a more granular permissions model for that project. 

NuGet SetMeUp Enhancements
The NuGet SetMeUp in the JFrog Platform UI now includes support for NuGet V3.
Repository names starting with a number
Artifactory repositories can now have a name that starts with a numeric character.
Updated the Get Token by ID and Delete Token by ID
Users can now fetch the reference token details using either the token-id or their own token (me). 

YAML Validator for Values YAML
The YAML validator now includes a tab to validate values in the YAML.
Retention Policy Enhancements
Enhanced retention policy's system configuration properties to allow setting retention cron's hours interval, days of the week, and time zone (see Setting Retention Policy).
Error Status Code for Test Connection
Users can now see upstream status codes when adding/editing integrations when clicking the Test Integration button.
Download Run State
Removed the auto-creation of Pipeline's step run state archive that can be downloaded from the UI. This can be re-enabled for debugging by using a newly-introduced environment variable called JFROG_PIPELINES_RUN_STATE_DEBUG (see Creating Stateful Pipelines).
Develop and Test Templates
You can now develop and test templates before they are released for general consumption. This helps in reducing the lifecycle of developing and using a template. Templates can be developed and tested from your local SCM repository and released to a wider audience only when you are ready to do so (see Develop and Test Templates).
Trigger Run with Custom Run Number
When triggering a run with custom parameters, you now have the option of setting a custom run number for the next run (see Run Configurations).
Reset Resource Button Removed from Run View
The Reset Resource button has been removed from the Resources tab in the Run view. However, it will continue to be available in the Resources tab of the dashboard and in the Graph view.

January 31, 2023

Support for Custom Webhooks

Custom Webhooks are Webhooks whose HTTP request headers and payload can be fully customized to adapt to any target service, such as GitHub actions, Gitlab pipelines, Jenkins jobs, Slack, and more. Custom Webhooks trigger events with the format expected by the vendor. 

Ability to Edit the Live Logs Buffer Size 
You can now set the Live Logs buffer size using the Artifactory System YAML configuration readBlockSizeKB.
Support to Select Whether an Access Token Gets the "force revocable" Flag in the Access REST API 

The "force revocable" flag in the tokens has been removed as a default setting and is now a Boolean parameter called "force_revocable" in the Create Token REST API. When the "force_revocable" param is set to true, we will add the "force_revocable" flag to the token's extension.

In addition, a new configuration has been added that sets the default for setting the "force_revocable" default when creating a new token - the default of this configuration will be "false" to ensure that the Circle of Trust remains in place.

Conan Metadata Calculation has been Optimized
The time required to calculate metadata for Conan has been reduced by up to half. 
npm Login Method has been Updated

The Web Login method for npm is now supported

Generate Violations by Specific Vulnerabilities

You can now create a security policy with the ability to generate violations for specific vulnerabilities (CVEs). 

Jira Integration Enhancements

The Xray Jira Integration feature has been enhanced to support creating Jira tickets manually for any violation from Xray's UI. In addition, you can now create one Jira ticket for all the information regarding all affected components instead of creating a Jira ticket for each component. 

JFrog Advanced Security Scan Existing Artifacts 

You can now run Contextual Analysis and perform Exposures Scan on an existing artifact from the Scans List page. This feature is also supported through the REST API. 

Exposures Additional Scanners
The Services category in Exposures has been expanded with 7 new scanners for NGINX configuration issues. 
UI Improvements

Added a number of UI improvements in the Scans List to the Vulnerabilities and Exposures categories screens.

preRun and postRun Steps

In the pipelines section in your pipelines YAML, you can now configure two optional steps:

  • preRun: This is an optional step. When configured, this step will always run at the beginning of a pipeline. This is useful when you want to run some checks at the beginning of a run.

  • postRun: This is an optional step. When configured, this step will always run at the end of a pipeline. This is useful when you want to run some checks at the end of a run.

UI for Adding Pipeline Source via Template Deprecated

As of this release, the From Template UI option for adding a pipeline source is deprecated. However, Global and system templates can now be added using pipelines YAML (see previous item)

New Templates Flow

With this release, Pipelines templates have been improved to offer more simplified and flexible user experience completely based on pipelines YAML.

Changes to the Node Pool
  • Node Pool for Custom Run: When triggering a custom run, you now have the option of selecting the node pool for the pipeline and individual steps.
  • Node Pool and Node Name and Stats on Run Dashboard: During a run, the run dashboard page will now display the name of the node pool and node as clickable links, and the status of the node being used for the run.
  • Editable Kuberentes Node Pools Intervals: You can now edit node idle interval for custom Kubernetes node pools.
New Admin Views
Project and system-level admins can now create custom admin views for pipelines using simple wildcard patterns on pipelines name or branch name. When a view is created for a Project, it will be visible to all users of that Project. Up to 10 views can be created per Project. 
Approval Gates Improvement
The approve/reject link will now be disabled for the users that do not have necessary permissions.

December 31, 2022

New Platform Security APIs 

These new Security APIs replace the previous Security APIs, which are planned to be deprecated at a later stage. The new APIs address aspects of JFrog Platform security and access, such as users, groups, permissions, tokens, and more. For more information, see Security REST APIs.

Platform-specific REST APIs Moved to a Dedicated Page
All REST APIs that are not specific to Artifactory - but are relevant to the JFrog Platform as a whole - have been moved to their own documentation page called JFrog Platform REST API. Here you will find all the APIs that were previously on the Artifactory page, including Security, System and Configuration, Support, Access, Projects, Router, and Webhooks. You will also find links from the existing Artifactory API page to the relevant sections in the new page.
npm Deprecation Flow Improvements

Simplified the npm deprecation handling flow - npm deprecations will now be reflected in the package.json file, and the npm client will return an appropriate error in the case of lacking permissions (note that if you have a large number of deprecated npm packages, upgrading Artifactory will cause Artifactory to start with a few seconds delay).

white labels 05.png

Federated Repository Multi-Version Support

Multi-version support enables the members of a Federation to run different versions of Artifactory, even if the version at one site includes configuration features and values that are not supported on the versions running at other sites. Thanks to multi-version support, future upgrades after Artifactory 7.49.3 can be performed on one site at a time, eliminating the need for simultaneous upgrades across all locations.

Whenever an instance with a new Artifactory version is introduced to the Federation, the configurations of the other members are retrieved and a negotiation process checks for new and upgraded features that are not supported on the older versions. If there are new features that older versions do not support, the new feature is disabled. For upgraded features, a default value is chosen that is supported on all member versions. 

Multi-version support requires Artifactory 7.49.3 and above. Therefore, it is a prerequisite of this feature to upgrade all Federated repository members to Artifactory 7.49.3. After this has been done, multi-version support is enabled for all versions going forward. 

Federated Repository Monitoring 

This new feature enables you to monitor the status of Federated repositories using a set of dedicated REST APIs. Use these APIs to get the status of the Federation for a specific repository, including task status, pending event status, server lag time, and the number of fully (binary and metadata) and artificially (metadata only) replicated artifacts. In addition, you can use these APIs to get a list of Federation mirror lag times and a list of unsynchronized mirrors.

The new monitoring features become available after the one-time database optimization process (which is part of the upgrade to this version) is complete.

New Variable for SCM Repository Name

A new variable, {{ sourceRepository }}, has been introduced to replace the SCM repository full path during Pipelines sync. For more information, see GitRepo.

New OOTB Global Template
A new template to promote a BuildInfo resource is now available out of the box. For more information, see PromoteCI.
Support for Multiple Operating Systems in Matrix Step
In the matrix native step, steplets can now be configured to execute in parallel on multiple node pools with different operating systems. For more information, see Multi-node pool Matrix.
New Custom Views
Non-admin users can now create custom personal views for pipelines using simple wildcard patterns on pipelines name or branch name. Up to five views can be created per Project. For more information, see Custom Views.
Ability to Add Description
A new utility function, update_run_description, has been introduced, which can be used to add custom text to every run. This is useful for providing more context for a run. The run description can be updated at any time. For more information, see  update run description.
View Git Repo Event for Runs
The Overview section in the Pipelines UI will now show the git repo event (such as, commit details, pull request details, tag details) that triggered the run, along with a link to the commit SHA.
New Status Icons
The Active Runs, Node Pools, and Extensions & Templates pages now use new Status icons.

November 30, 2022

Red Hat SQLite Support
Xray now supports the new Red Hat format, SQLite, for storing RPM OS package information.
Xray OCI Container Scans Enhancement

Docker and OCI image tarballs built with Kaniko and Podman can now be scanned using JFrog CLI jf scan command.

Enhanced Reports Ignore Rules Info
Ignore rule status and notes are now added to the exported reports. 
Security Policy Enhancement
A new condition for generating a violation on a malicious package was added to the Security Policy. 

New OOTB Global Templates

The following global templates are now available for use out of the box:

  • GoCI
  • GradleCI
  • MavenCI
  • NpmCI
Share Integrations across Projects

Projects admins can now share integrations across multiple Pipelines to allow members in more than one project to use them.

New Utility Function
Added a new utility function to end a step early, setting the step status to success, failure, or skipped. 
Conditional Workflow to Support Variable Conditions
Added a new conditional workflow to execute a step depending on run variables. 
Sync a Single Branch
The Pipelines UI now includes a new toggle to sync only a single branch when a new multi branch pipeline source is added. To sync the new branch, users can perform a commit in that branch or can directly fetch branches in the UI. 
Support for ARM64 Ubuntu 20.04 and MacOS 12 Static Build Nodes
Added support for ARM64 Ubuntu 20.04 static build nodes and Bash steps to be run on MacOS 12.x static nodes.
Pipeline Source Page Enhancements
  • Pipeline Sources page divided into two sections: Top-level page and a dedicated page for the Pipeline Source's branches.
  • A new search API for Pipeline Sources with pagination support.
  • Introduced more alignments with the new look and feel.
  • More performance improvements to load the Pipeline Sources page faster.
  • Updated the Pipeline Sources Admin page design to match the non-Admin page.

October 31, 2022

JFrog Advanced Security

Announcing JFrog Advanced Security Pack! The new security pack can be purchased with Cloud Enterprise X and Enterprise+ subscriptions, and contains the following features:

  • Vulnerability Contextual Analysis: An industry first;  scan containers and packages to prioritize whether OSS vulnerabilities are actually exploitable.
  • Exposed Secrets: Detect any secrets left exposed in any containers stored in Artifactory to stop accidental leaks of internal tokens or credentials.
  • Insecure use of libraries and services: Detect whether common OSS libraries and services are used and configured securely so that containerized applications can be easily hardened by default.
  • Infrastructure-as-Code (IAC): Scan IaC files stored in Artifactory for early detection of cloud and infrastructure misconfigurations. Xray scans Terraform states for AWS, Azure, and GCP cloud services.
Conda Packages Support

Xray can now scan Conda packages that contain python packages and their dependencies for security vulnerabilities, license compliance and operational risk.

On-Demand Scanning Enhancement 
When the JFrog CLI tool executes an on-demand scan, it first downloads the Xray executable from the Xray server. Until this release, a native M1 version of this executable was unavailable. For an on-demand scan on an M1 machine, the Intel X64 version of the executable had to be used, and required Rosseta2 emulation. With this release, a native M1 version is available and the need for Rosseta2 has been removed. 
Expand Support to Additional General Archive Types/Formats
Added support in Xray for additional compression and general archive formats and extensions (.rar, .tbz2, tar.bz2, tar.lzma, .tlz, .tar.xz, .txz).  

Support for Multiple Pipeline Sources per Repository
Pipelines now supports the creation of multiple pipeline sources multiple pipeline sources per repository. This change significantly improves the performance of your pipelines sync. 
Secure Project Integration Information

Project integration information is now protected when handling public Git repositories.

Allow Failure in Conditional Steps

A new boolean option called allowFailure has been introduced for conditional steps. The allowFailure option can be set for individual steps and can be used to ignore the current step’s failure while computing the final status of the run. 

New Utility Functions to Store and Restore Files between Steps in Affinity Group
Added add_affinity_group_files and restore_affinity_group_files utility functions to more easily use the affinity group workspace to share files between steps in an affinity group. 
New Runs Charts

Pipelines runs charts show the behavior of the runs for the selected number of runs.
The following charts show how the runs performed:

  • Run Performance: Shows the median build time for the runs categorized based on the first and last build.
  • Execution Frequency: Shows the average runs.
  • Runs Status: Shows the run status and the time taken for each run.

30 September, 2022

Access Token Scope Added to the WebUI 

The scope of a user's access token (also known as a scoped token), has now been added to the JFrog Platform WebUI (in addition to the existing API endpoint) as a new column in the Security page. 

User/Group WebUI Enhancements
Enhanced the User/Group WebUI with the following updates:
  • Enable sorting users in tables by additional columns 
  • Enable partial search by name/email in tables
  • Improved the loading time of Users in the Groups page
  • Improved the loading time of Users/Groups in Permission Targets
Webhooks WebUI Now Supports Using the Secret for Signing the Payload 
When creating Webhooks and defining a secret authentication token, the administrator can determine the way in which the Webhook's secret token should be used:
  • As the X-JFrog-Event-Auth HTTP header, so that the token can be used by the service that receives the event to authenticate the event emitter.
  • To sign the events payload- in which case the secret token must not be passed as a header.

To support both options, the backend was updated to also send an HTTP header containing the payload hash value calculated based on the secret token (this hash value should be computed based on SHA1 or SHA256). With this release, the JFrog Platform now supports setting the secret for payload signing through the WebUI. 

AQL Search Speed Improvements 
Improved AQL internal search mechanism to support running faster queries, from several days to seconds. 
Helm Indexing Improvements
Improved the speed when indexing Helm Charts in Helm repositories.
Native Browser Scrolling Enhancement 
Added an option to scroll through your artifacts and view all package contents in the Native browser. 
Cargo Indexing Enhancement 
Added support for alternative indexing in Cargo repositories based on the sparse index specifications, instead of jgit server
Newly-Designed Received Bundles Table

The Received Bundles table in the JFrog Platform has been updated to support easier search and filtering for Release Bundles. These updates include:

  • Improved search that enables you to find any Release Bundle by name or by using a wildcard together with other Release Bundle details
  • All Release Bundles are pulled using the REST API, ensuring that you can search for any Release Bundle regardless of when it was released
  • Release Bundles can now be sorted according to name, latest version or creation date
Improved Distribution and XRay integration

The improved integration allows Distribution to retry triggering XRay scans for Release Bundles in cases where XRay is not available (previously this required manually triggering via API).

Allow Including/Excluding Patterns for Syncing User Entities with Access Federation
Added the option to define include or exclude patterns for users.


This feature is experimental. We recommend reaching out to JFrog Support for assistance with configuring this, as it may affect other Federation setups.

31 August, 2022

Selecting a Specific GPG Key to Sign a Release Bundle Version

When signing a Release Bundle version, you can now choose the signing key to use to sign the version through the Distribution UI (key selection was previously supported only through the APIs).

Release Bundles UI Enhancements
  • Added a new filter search and the total count for both Distributable and Received Release Bundles.
  • From this release, the checkbox Auto create missing repositories is displayed for all Release Bundle distributions (not only PDN), replacing the Target Repository Auto-Creation checkbox (the functionality remains the same). 
Storage Trends Label Update

The % change label in Insights has been updated to % change in space in the Storage Graph when you click on the Growth tab in the Storage Trends drill down.

New Scans List

The Scans List page combines the Xray scans list into a single screen and enables you to view details for repositories, builds, release bundles, and packages. For each of these items, you can drill down further to view the Policy Violations, software components, and security issues. We've also added REST APIs support for this feature 

Ignore Rules Improvement
When an ignore rule expires or is deleted, in some cases, it requires a manual rescan for the violations to reappear. Xray will now automatically rescan for violations if the number of artifacts impacted by the ignore rule is less than 50. The number is limited to avoid any performance impact. A full rescan may still be required for expired ignore rules that impact a large number of artifacts.
Improved Impact Analysis Performance

Introduced the following performance improvements:

  • When a new vulnerability is published or when its data is updated, the impact on your artifacts is analyzed and the results are updated. This may cause performance issues when there are many artifacts and components. To avoid performance issues the impacts analysis process is now only applied on High Profile CVEs (JFrog Security CVE Research and Enrichment) and will no longer be applied on all CVEs.
  • When the license for a package is updated in Xray's DB, the new information is reflected only on scanned artifacts (or rescanned) after the DB is updated.

New UI enabled by default

The Pipeline and Run views now use the new UI by default. The new look and feel were introduced in June 2022. If required, you have the option of switching to the old UI.

Native Steps Enhancements
  • All Pipelines native steps now support JFrog CLI v2.
  • DockerBuild native step now supports multiple Image and FileSpec resource inputs. 
  • Pipelines now allows other step types between DockerBuild and DockerPush native steps. These steps must still be in the same affinity group.
  • Added optional namespace setting in the configuration section of HelmDeploy native step. 
Logstash Integration to reqKick

Added build node and Logstash integration for Pipelines agent logs.

Branch Dropdown Wildcard Support

In the Pipeline dashboard, the branch and pipeline dropdown now supports wildcard search

Test Tab Enhancements

In the Run view, the test tab has been enhanced as follows:

  • Shows the test results summary, with an aggregate count for Success, Failure, Error, and Skipped
  • Includes a tab for each of the test results section - Success, Failure, Error, and Skipped and each tab:
    • Includes a list of test suites and test cases with the test name, duration, and path details
    • Shows a summary of test statuses (Success, Failure, Error, and Skipped) at the test suite level
    • Shows error messages for error and failure tests
Re-Trigger Run Option
The Run view now includes a re-trigger button, which enables you re-trigger any run using either the run's original settings or customized settings.
YAML Validator
Pipelines introduced the YAML Validator, which enables you to validate your YAMLs before committing them to the SCM. The YAML validator can be used to validate your YAMLs for both semantic and syntactic errors. 
Native Steps Enhanced to Utiliize Affinity Groups

A new get_affinity_group_step_names utility function has been introduced to find steps of a particular type in the same affinity group. In addition, NpmBuild and NpmPublish, and GoBuild and GoPublishBinary native steps will now store files locally when in the same affinity group to reduce the time required to run these steps.

Global Environment Variable in Pipelines
Pipelines now provides the ability to expose Global Environment Variables to the entire Pipelines ecosystem. The global environment variables are available for use in runs and steps. 
Hello World OOTB Template

A new global template called HelloWorld is now available for use out of the box. The template showcases a few of the basic features of Pipelines:

  • Parallel steps
  • Reading and writing variables that persist across different steps in your pipeline
  • Reading from and writing to resources
  • Setting environment variables
  • Optional GitRepo resource so that users can experiment via the values.yml

Additionally, a sample pipeline that uses this template will be pre-installed for Pipelines users who have not yet created any pipeline source.

Custom Dynamic Nodes on Cloud 
Cloud users can now create custom dynamic nodes (using user-defined integrations) and customize all the relevant settings. Users can select any cloud provider with no restrictions on settings, such as machine type, region, and others.
Ability to Change Resource Static Fields
Lifted restrictions on updating some tags from their original values in resource configurations.

31 July, 2022

Added a Full Broadcast Function to the Access Federation UI
Added the option to trigger a full broadcast from a specific Access Federation source via the Access Federation UI. 
CRAN Local Repository Improvements
Aligned the CRAN Local repository to follow the CRAN spec when populating the Archive folder by introducing the following enhancements:
  • Added the cran.archiveMover.enabled system property that will allow the storage of the archives in the correct hierarchy.

  • Added a new Move Archives CRAN REST API,  which moves the existing archives to the correct location (if the system property is enabled). 

Swift Registry Supported on Self-Hosted deployment
Swift Registry support has been expanded to support both cloud and self-hosted deployments.
Debian Repository includes Support for Debian Snapshots 
From Artifactory 7.41.4, Debian repositories include support for Debian Snapshots and can be used in the following scenarios:
  • As backups, allowing you to easily fall back to previous versions in case of package corruption due to dependency changes. 
  • For release purposes, whereby the tested Packages file can be immutably saved and served.
Users with Repository Management/Deploy Permission can View/Use the Trash Can Repository 
With this release, two changes have been implemented to the Trash Can:
  • Users who have deploy or manage permissions to any repository will be able to view the Trash Can and to view files in that repository of origin
  • Users who also have delete permissions to their repository will now also be able to restore them without requiring admin assistance (they will not be able to view or restore any other repositories). 

30 June, 2022

Support for a New User Scoped Token for Distribution to the Source Artifactory (Breaking Change)

With this release, user permissions will be enforced when distributing to the source JPD. This means that only users with read and deploy permissions on the target repositories can distribute release bundles to the source Artifactory, and only users with delete permissions for the target repository can delete these bundles.

API Update

The API to

  propagate the GPG key pair to a newly added Distribution Edge has been updated.

Swift Registry Support

Artifactory now natively supports a dedicated Swift Registry, most widely used as the go-to language for iOS and all the other Apple OS-app development, which gives you full control of your deployment and resolution process of your Swift packages and their dependencies. With the introduction of Swift support by Artifactory, you can create secure and private local Swift repositories, remote Swift repositories to proxy remote Swift dependencies and cache downloaded Swift packages. 

Storage Summary Improvements
The default threshold for updating the Storage Summary page update has been modified to minimize the load. 

Rest API Enhancements

Introducing the New Pipeline and Run Views
The Pipeline and Run views have a fresh, new look. These views have been completely revamped to provide you with an easier, simpler, and more intuitive user experience. In addition, you have the option of switching between the old and new views whenever required:
Support for AWS USW1 Region
Pipelines now supports AWS build nodes in the us-west-1 region.
Trigger Pipeline Endpoint Enhancements
Added support for using resource versions from a previous run. In addition, resource versions can now be overridden in a pipeline re-run. For more information, see Trigger Pipeline API
Bash and PowerShell Scripts Enhancements
Implemented enhancements to the steps on Bash and PowerShell to execute their onFailure and onComplete sections when a step is canceled or times out.
Improved Extension Source Sync Logs
Improved extension source sync logs to show more errors when there are multiple errors in the extensions to be synchronized.
Specify Image Version in a Step as a String
The runtime section of the Pipelines YAML has been enhanced to allow for specifying a single "version" instead of an array of "versions" when selecting a pre-existing language image.

31 May, 2022

New On-Demand Scan REST API

Introduced a new REST API that will enable you to delete on-demand scanning results using the JFrog CLI. 

Operational Risk Reports

You can now generate Operational Risk reports as one of the Xray report types. In addition, you can also view Operational Risk violations in the Violations report type.

TriggerPipeline Native Step (Beta Version)

The TriggerPipeline native step will trigger another step and wait for the resulting run to complete before continuing. This enables you to embed another pipeline inside your existing pipeline. A new integration called JFrog Platform Access Token Integration has been introduced to support this feature. 

System-level Control Setting for Non-root Users

Pipelines admins can now use a system-level setting to enforce use of only those node pools that are configured with non-root. When the enforceNonRootNodes global setting is set as true, it takes precedence over the non-root user setting configured in the UI (currently supported only in Ubuntu 18 and Ubuntu 20).

Trigger Pipelines API

Introduced a new API to trigger a pipeline that enables you to:

  • Trigger all the steps in the pipeline with default environment variables and the latest resources.
  • Trigger specified steps in the pipeline with custom environment variables and resource versions.

30 April, 2022

Full JFrog Support for Terraform Packages

JFrog provides a fully-fledged Terraform repository solution, which gives you full control of your deployment and resolution process of Terraform Modules, Providers, and Backend packages. This solution includes both the Terraform Registry and the Terraform Backend Repository in the JFrog Platform.

Token Enhancements

Scoped Admin Access Tokens: From Artifactory release 7.38.4, JFrog enables companies to create their own admin-scoped access token without using the JFrog Platform UI or via another token. 

New Identity Token Format and API Key Replacement: Artifactory release 7.38.4, includes a new Identity Token format, also called a Reference Token, which can also be used to replace the API Keys that will be deprecated in a future version. The new Reference Token includes an option to create a "shortened," 128-character key, thereby providing an alias for the Identity Token. 

Added PKCE Support for OAuth Integrations

Artifactory now supports enabling the PKCE extension over OAuth to gain an additional level of security and serves as an alternative to the basic Secret mechanism. By selecting the Enabled PCKE field in the OAuth Provider dialog in the UI (see Enabling Authorization Code Flow with PKCE),  you will enable this feature and the Secret option will be automatically disabled. Please note that backward compatibility for the authorization Code Flow without PKCE is retained.

Enforce Internal Dynamic Search of Attributes in LDAP Groups 

Introducing the new functionality for the LDAP group dynamic strategy, which enforces dynamic internal search of attributes in a group by setting the <forceAttributeSearch>true</forceAttributeSearch> in the Config descriptor. 

Maven Non-Preemptive Authentication for Local, Remote, and Virtual Repositories

An enhanced Maven authentication mechanism has been implemented in Artifactory to eliminate the need to perform authentication prior to checking if a package is located in local, remote and virtual repositories. With the new authentication mechanism, when reaching Maven-local-three (which requires authentication), instead of first performing for authentication and next authorization, Artifactory will check if the requested item is located in the repository. If the requested package does exist, it will proceed to perform authentication and authorization. If not, a 404 error message will be triggered. 

Anonymous Users can be Routed to Login Page by Default

To provide anonymous users in the JFrog Platform with an improved navigation experience, you can set all anonymous users to be routed to the Login page by enabling the new 'Set the Login page as the start page' on the Anon User page.

GAVC Search REST API Supported on Virtual and Remote Repositories

Maven users can now search by Maven Coordinates (GAVC: GroupIDArtifactIDVersionClassifier), on remote and virtual repositories, in addition to the existing support for local repositories. For more information, see the new parameters added to the GAVC Search REST API.

Added Support for Custom Ports to be Exposed on the NGINX Pod 

As part of the alignment of the JFrog Platform with the conventional Kubernetes YAML syntax for container ports, we have added support for comments in the values.yaml file. It is self-explanatory as it is traditional Kubernetes YAML syntax and allows you to pass additional ports other than HTTP and HTTPS port to Nginx deployment and service in the values.yaml file.

New Webhook to Support Pull Replication from Remote Repositories   

The newly added 'Cache' webhook event is triggered for Pull Replication events occurring opposite remote repositories. Note that for push replication, you should use this 'Deployed' event. For more information, see the Domain Artifact section.

Extended the Priority Resolution feature to Support RPM Packages

You can now declare local and remote repositories as ‘safe’ by enabling the ‘Priority Resolution’ field for Local Repositories and Remote Repositories for RPM packages.

Support for Components Operational Risk

Xray can now provide information about the operational risk of using open source software components. These include the risk of using outdated versions or inactive open source software components in your projects. In the current version of this release, we provide operational risk information for Maven and npm packages.  

31 March, 2022

Artifactory as Your Symbol Server  

Cloud customers can now benefit from the following advanced Symbol Server features:

  • Publishing while indexing your Symbol packages to Artifactory from your NuGet Client v3 together with your NuGet packages or as separate Symbol packages
  • Resolving Symbol files (.pdb) from virtual and local repositories in the JFrog Platform
  • Resolving Symbol files from remote proxies. For example,
  • Debugging the Symbol files hosted on Artifactory using the Visual Studio debugger tool.

Build-Info Repositories can be Shared Across Federated Repositories

The Federated repository feature has been expanded to support adding Build-Info repositories as federated members within a Federation using a dedicated Convert Build-Info Repository to a Federated Repository command  . 

Components Physical Path

Xray now displays the physical path (location) of a vulnerable component in an artifact. This information is displayed in the impact path graph within the CVE, export formats of Xray scans, and in the Violations and Vulnerabilities Xray Reports.

Exclude Violations with No Available Fixed Version

Introducing a new capability in Xray Policies, whereby you can set a policy rule to not generate violations for security issues that do not contain a fixed version. This new capability will help you improve your security workflow in enabling you to exclude violations at the Policy level, by not failing builds for issues that do not contain a fixed version. Whenever a fixed version is available, the violation will be generated.

Rootless Docker Support

Pipelines now supports rootless docker for Ubuntu18/20 build nodes (AWS/GCP - Ubuntu 18/20, Azure - Ubuntu 20, Static nodes - Ubuntu 18/20). Rootless docker helps prevent providing the Docker container root access.

HelmDeploy Native Step Enhancement

The HelmDeploy native step now allows both HelmChart and GitRepo as input resources at the same time. 

Run Variables as Build Parameters

This enhancement enables run variables to be used in variable placeholders in the build parameters of a Jenkins step.

28 February, 2022

Announcing the Integration Microservice

Released the new Integration micro-service (as part of the JFrog platform), which is responsible for third-party authentication and event registration.

Binding Tokens

Introducing a new type of access token called a binding token, which allows trust to be bi-directional. Binding tokens provide a full self-service for Cloud Enterprise customers that can build customizable binding to the other JPDs on their own. 

Federated Repositories Now Supported for Cloud Customers 

With this release, using the new Binding Tokens, you can set up Federated Repositories in a JFrog Platform Cloud environment. 

Elasticsearch Improvement

Empty indices in Elasticsearch are now automatically cleaned up when the Elasticsearch reaches the maximum number of allocated shards.

CVE Enrichment REST API Support

The JFrog Security CVE Research and Enrichment feature is now supported in additional REST APIs. See Xray Release Notes for details.

31 January, 2022

JFrog Projects Feature is Available to All JFrog Users

JFrog Projects is a management entity for hosting your resources and for associating users/groups as members with specific entitlements. Using projects helps Platform Admins to offload part of their day-to-day management effort and to generate a better separation between the customer products to improve customer visibility on efficiency, scale, cost, and security. 

Pub Repository Support

Artifactory now natively supports Dart packages, giving you full control of your deployment and resolution process of FlutterAngular Dart, and general Dart programs, which means that you can create secure and private local Pub Repositories with fine-grained access control.

High Availability in PostgreSQL Database

Artifactory introduces the ability to set up PostgreSQL databases in an high availability configuration to be used as the Artifactory database. 

Priority Resolution Supported on Federated Repositories

Added support for setting Priority Resolution on Federated repositories. Setting Priority Resolution takes precedence over the resolution order when resolving Federated repositories and will cause metadata to be merged only from repositories set with this field. If a package is not found in those repositories, Artifactory will merge metadata from the repositories that have not been set with the Priority Resolution field. 

Garbage Collection Improvements

To improve Garbage Collection performance, you can now disable size-based ordering of the GC query. As a result, artifacts will not necessarily be deleted from largest to smallest. 

Introducing npm SHA512 Support

From npm version 500, all npm packages published to Artifactory will support both SHA512 and SHA1 while using the strongest algorithm available, which will result in improved performance, robustness, and enhanced fault-tolerance. 

Generate Software Bills of Materials (SBOM) Report

Xray now can generate an Xray SBOM Report in both SPDX and CycloneDX standard formats. This will help DevSecOps teams to identify the software components in use, their dependencies, and associated license risks if any. 

On-Demand Binary Scan Docker Support and New UI

The Xray On-Demand Binary Scan using the JFrog CLI now supports scanning Docker images. You can run an ad-hoc scan of a Docker image without uploading it to Artifactory first. You can also view the On-Demand Binary scans that run using the JFrog CLI as part of the Xray UI in the JFrog Platform.

Xray Data Retention

Improve Xray performance and data usage by selecting which artifacts are important to scan and how long to retain their Xray data.

Sensitive Data Masked

Sensitive content from Project integrations is now masked in the console logs.

Metrics Data

Pipelines now provides a new Metrics API, which can be used to get metrics data for Pipelines, such as CPU, memory, number of pipelines per project, and more

Pipelines Utility Functions Export

Pipelines utility functions are now exported. This means they can be called from scripts that are invoked from the build script without having to use the 'source' command.

31 December, 2021

Artifactory Edge Node Support

Insight now supports Artifactory Edge nodes and shows information from Artifactory Edge nodes in the dashboard and trends.

Support for Personal OAuth SSO

JFrog Cloud can now also join through an invite, and to then log in using Personal OAuth such as Google or GitHub. 

New Integration for JFrog Artifactory with Amazon's Elastic Cloud Kubernetes (EKS) Anywhere

Amazon's Elastic Cloud Kubernetes (EKS) Anywhere is a new deployment option for Amazon EKS, which allows customers to create and operate Kubernetes clusters on customer-managed infrastructure, supported by AWS. The deployment of JFrog Artifactory on Elastic Cloud Kubernetes (EKS), EKS Anywhere uses Helm Charts to leverage the AWS License Manager.

JFrog Projects Feature is Available to All JFrog Users 

The JFrog Projects feature is now supported on all JFrog Subscriptions. JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. Projects simplify the onboarding process for new users, create better visibility for LOBs and project stakeholders. 

S3 with Storage Sharding Support

Artifactory introduces S3 Sharding template (s3-sharding) that utilizes a new sub-provider, state-aware-s3, so that you can use multiple S3 buckets with sharding as the Artifactory filestore.

Custom VM Image

Pipelines now supports creating custom VM imagesA custom VM image enables you to use your own image as a node in Pipelines, including all the customizations you made when you created the image. 

Share Node Pools across Projects

Project admins can now share node pools across multiple projects to allow members in more than one project to use them. A node pool can be shared with a single project or across multiple projects.

Change Machine Type in Dynamic Nodes Pool

Pipelines now supports changing machine image type in dynamic node pools.

Pipelines in Search Toolbar

Added the ability to select Pipelines and to search for pipelines using the main search toolbar. The search can be filtered using Name, Branch, Triggered Before, and Triggered After.

New Canvas and Butterfly Graphs

The graph view in Pipelines has now been updated to use canvas and butterfly graphs to provide a much smoother and faster experience.

30 November, 2021

New Hybrid Solution Provided through the Distribution Edge

The JFrog Distribution Edges Add-on is a commercial offering for self-hosted customers to leverage JFrog SaaS for software distribution, by enabling self-hosted customers to add cloud-based Edge nodes managed by JFrog (software-as-a-service) and to fully utilize them for content distribution. 

New Pairing Token UI

A new pairing token has been added to the JFrog Platform, which establishes trust between different JFrog microservices. The pairing token is an access token that is used for the initial pairing flow. Because the token is a limited access token, it is dedicated to a specific task and short-lived.

External ID Added to Support Azure Active Users 

To support Azure Active Directory users, the field External ID field was added to the group definition and can be set via the group creation UI.

New PyPi Public Remote Registry Supported    

For PyPi users, Artifactory now supports the public remote registry. URL

Jira Integration Dynamic Labels and Custom Fields

You can now use Xray-specific entities as dynamic labels and custom fields in your Jira issues.

31 October, 2021

Configurable Number of Remote Repositories in Remote Repository HTTP Connections Metrics

You can now configure the number of remote repositories to be shown in Remote Repository HTTP Connections of the Artifactory Performance trends (available with Artifactory Cloud (SaaS) version 7.28.x). 

Top 10 API Calls in Remote Repository Requests Metrics

Remote Repository Metrics has been enhanced to display the Top 10 API calls to the remote repository (available with Artifactory Cloud (SaaS) version 7.28.x).

Enabling Log Collection 

The Log Collection Enablement feature enables customers to collect and download their application logs in a dedicated Logs Artifactory System Repository, to improve auditing capabilities. 

Scan Status

You can now get information on the scan status of resources in the Xray data tab of Packages, Builds, and Release Bundles in Artifactory.

Scan Now REST API 

Introducing a new Scan Now REST API that enables you to index resources on-demand, even those that were not marked for indexing.

New REST API for Scan Status

You can now check the scan status of Packages, Builds, and Release Bundles using the new Scan REST API.

Provision Status for Node Pools

The node pools list view now includes a new column called Provision Status, which provides a color representation of the provision status for each node and color represents one of the stages in the lifecycle of a node.

Carry Custom Configuration to all Steps in Pipeline Run

Custom configurations can configured at both the pipeline- and step-level.

LinuxVMDeploy Native Step

Introduced a new native step to support Blue/Green deployments on Pipelines, whereby the LinuxVMDeploy native step can upload files to VMs in a VmCluster resource and run commands on the VMs.

UploadArtifact Native Step

Introduced a new native step to upload artifacts to Artifactory using JFrog CLI. Optionally, it can also publish build information to Artifactory and trigger Xray Scans.

Support for Clone of Private Repos via HTTPS

Added support for cloning private repositories using HTTPS. Users can now toggle between SSH/HTTPS on their GitRepo resource, and when adding a new pipeline source. 

Cancel One or More Runs

Enhancements in the UI to cancel single or multiple runs. Also, added the ability to cancel a run with a single API call. 

30 September, 2021

JFrog Security CVE Research and Enrichment

Xray's integration with Vdoo introduces JFrog Security CVE Research and Enrichment, a new capability that provides additional CVE details by the JFrog security research team, which comprises security experts that perform manual research on CVEs and suggest a new JFrog Severity Score and a deep technical overview that allows you to better understand the actual risk posed by the CVEs.

Xray Integration with Jira

Xray now can be integrated with Atlassian’s Jira Software, enabling the automatic creation of Jira tickets based on Xray identified security threats and violations. 

Initial release of Insight 1.0.1 

Insight 1.0.1 includes all the trends and charts previously available with JFrog Mission Control.

New Dashboard Trends

Added a new trend, the Remote Repository Requests Metrics, which provides information on the status of remote repository requests, the performance of remote repository requests, and the Top 100 API calls.

Mission Control as a Microservice

From JFrog Artifactory version 7.27.3, Mission Control has been integrated directly into Artifactory as a service. You will no longer need to install Mission Control to use the features it provides, only to enable the service in Artifactory.

31 August, 2021

URL Normalization is Now Prevented for Remote Repositories

Remote repositories are now enabled with the new disableUrlNormalization parameter to prevent URL normalization from occurring. 

Added Namespace Support for Helm Virtual Repositories 

You can now assign namespaces to local and remote repositories in Helm virtual repositories, allowing you to explicitly state which aggregated repository to fetch.

Build Info Supports Aggregated Builds

Aggregated builds are builds that contain multiple steps and can run on multiple machines. Aggregated builds are now represented by Build Info using the new 'type' parameter under the module section in the UI. 

Builds Info REST API Displays the VCS Parameter

The VCS property is now displayed in the BuildInfo REST API response.

PHP Composer V2 Support

Artifactory supports PHP Composer V2 in addition to V1. From Artifactory 7.24, Local PHP repositories will automatically be created in V2, which supports faster download times and enhanced performance. 

PHP Composer Drupal 7 and 8 Registry Support

You can now upload Drupal version 7 and 8 packages to PHP Composer remote repositories

Set a Grace Period before Failing Build

You can now set a grace period in a Policy for build failure, allowing you to stop a build from failing if violations exist, for the period of time you set (requires Artifactory version 7.25.x and higher).

New Filter in Watches

Filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you (requires Artifactory version 7.25.x and higher).

Filter Ignore Rules

Use an array of different filtering options to narrow down the list of Ignore Rules by the filter criteria you select (requires Artifactory version 7.25.x and higher). 

Xray Reports Clone

Create a clone of an existing report in Xray Reports to reuse a report and its defined settings, saving you the time of recreating reports that you use often. This feature requires Artifactory 7.23.x and above.

Release Bundle Details REST API

Added a new Release Bundle Details REST API that returns license and security violations found in a Release Bundle.

Support for Helm Blue-Green Deployments

Introduced three new native steps to support Helm Blue/Green deployments on Pipelines for Helm deployments. This feature enables users to test releases in production before making them visible to users, while also providing a quick way to roll back changes if needed.

Pipeline-level Integrations and Resources

When defining a pipeline's YAML, integrations, input resources, output resources, and affinity groups can now be defined in the pipelines configuration section to apply them to all steps in the pipeline.

Signed Pipelines Enhancements

  • Added Signed Pipelines support for Docker images pushed in a DockerPush step and signed release bundles created in the CreateReleaseBundle native step. 
  • Added support for PowerShell versions for signed pipelines in the MvnBuild and GradleBuild native steps.

Support for Adding Values Definition in the UI

When using a template, you can now add values definition for the pipeline source without pointing it to an SCM repository and define the pipeline source values directly in the UI.

Support for SSH/HTTPS Clone for GitRepo Resource

The GitRepo resource now includes a new tag that can be configured to use either SSH or HTTPS protocol when cloning a Git repository.

Branch Name in Run View

When working with multi-branch pipelines, the run view now displays a breadcrumb that includes the name of the branch being used and a drop-down that lists all the branches. 

HTTPS Clone Support for BitBucket Server

Pipelines now provides HTTPS Clone support for BitBucket Server.

SMTP Credentials Integration Enhancement

Added a new option to the SMTP Credentials Integration called ignoreTLS that provides more flexibility when connecting with SMTP servers.

31 July, 2021

Additional Security Manager Role and Additional Scanning Capabilities in Project Functionality

The new security manager role enables a user to perform a wide range security-related project actions, as well as additional functionalities for Xray in Projects, such as generating Global Xray Reports for a Project scope and applying Global Watches to Projects.

Docker Enhancements

  • Improved the Docker remote repository flow by reducing the number of requests to the remote repositories.
  • Added Docker Buildx support, allowing you to easily build and push multi-architecture images using the Docker buildx CLI.
  • Added support for promoting Docker images with a Docker manifest.list from one Docker local repository to another.

New Outbound Repository Request Log

Announcing a new Outbound Remote Repository Request Log, which allows you to track every request initiated by a remote repository including requests related to replication. 

Native Artifacts Browser Accessible from the UI

The Artifactory native artifacts browser, which allows browsing the contents of a repository in a plain HTML structured tree, is now available via the artifact URL or via the artifacts Actions menu, which means that authenticated users will not need to re-authenticate to access the native browser.

Support for Multiple HashiCorp Vault Connectors in the JFrog Platform UI

JFrog Subscriptions: Enterprise with Security Pack | Enterprise+  
The JFrog Platform integration with HashiCorp Vault now enables you to configure multiple external vault connectors through the Platform UI.   

Managing Multiple Signing Keys

JFrog Subscriptions: Enterprise with Security Pack | Enterprise+  

JFrog Platform now enables you to manage multiple RSA and GPG signing keys through the Keys Management UI and REST API

Generating an Identity Token through the Profile UI

The user profile now enables users to generate identity tokens, which means that any user can create a user identity token for themselves via the UI (or via REST API). Identity tokens are scoped tokens, providing limited and focused permissions, and when a user is deleted/disabled, their tokens are also revoked.

Dependencies Scan 

The Xray Dependencies Scan feature enables you to scan your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies, using the JFrog CLI.

On-Demand Binary Scan

Xray now provides on-demand binary scanning to address your needs using the CLI for fast results. You can point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory.

Approval Gates

The Approval Gates feature enables you to insert a manual approval process for a step in a pipeline. Approvers can approve or reject steps, and receive Slack and e-mail notifications for steps that require approval.

Improved Logs for Signed Pipelines

Pipelines will now post logs to step consoles when steps are getting signed. This will help users to identify the cause of failures during the process of signing a pipeline.

Conditional Workflow

The Conditional Workflows feature enables users to choose if a step executes or skips based on certain conditions set for the previous upstream step, which provides more flexibility in the execution logic of a pipeline.

30 June, 2021

Native Artifacts Browser Accessible from the UI

The Artifactory native artifacts browser allows browsing the contents of a repository in a plain HTML structured tree, so that authenticated users will not need to re-authenticate to access the native browser. The browser is available via the artifact URL or via the artifacts Actions menu.

A New Outbound Repository Request Log

A new Outbound Remote Repository Request log that allows you to track every request initiated by a remote repository including requests related to replication. 

Dynamic Release Bundle

Introducing the capability to create, sign, and distribute an ad-hoc release bundle.

Multiple GPG keys for Signing Release Bundles

Distribution now supports signing Release Bundles using Multiple GPG signing keys and not one key pair for all Release Bundles. This enables you to use different keys according to your organizational requirements.

Managing Multiple Signing Keys

JFrog Subscriptions: Enterprise with Security Pack | Enterprise+  

The JFrog Platform now enables you to manage multiple RSA and GPG signing keys through the Keys Management UI and REST API

Generating an Identity Token through the Profile UI

The user profile now enables users to generate scoped identity token. Any user can create a user identity token for themselves via the UI or via REST API. 

Docker Enhancements

As part of our ongoing effort to provide the best Docker-related experience, we have introduced enhancements related to the Docker remote repository flow, added Docker Buildx support, and added support for promoting Docker images with a Docker manifest.list from one Docker local repository to another.

Improved Metadata Request Performance for Remote Repositories 

Customers can now configure the Metadata Retrieval Cache Timeout (Sec) parameter in the Remote Repository Cache Settings to control the Metadata timeout performance (the default value is 60 seconds). 

Security Manager Role in Projects


The new Security Manager role can perform security-related project actions such as Manage Xray Data, Manage Reports, Manage Watches and Policies, and Ignore Global Violations.

Generate Xray Reports on a Project Scope

You can now generate Global Xray Reports for selected Projects for all report types in Xray.

Apply Global Watches on Projects

You can now apply Global Watches on specific Projects, enabling you to set rules and policies in the selected Projects. 

Garbage Collector

Xray's Garbage Collector feature enables you to avoid race conditions between delete/create events sent by Artifactory mainly when moving Artifacts and promoting images. 

Signed Pipelines

JFrog Subscriptions: ENTERPRISE+
A new verification system that determines which pipelines/steps generated a specific artifact. The signing process creates trust and provides a way to validate the immutability of the artifacts.

31 May, 2021

JFrog Platform Integration with HashiCorp Vault

The JFrog Platform integration with HashiCorp Vault now enables you to configure an external vault connection to use as a centralized secret management tool not only through the APIs but also using the JFrog Platform UI.

JFrog Platform SCIM Integration 

JFrog Platform now enables you to generate a dedicated admin access token for SCIM in the JFrog Platform, which can then be used in the identity service setup. 

Signing Keys Management

The JFrog Platform now features a centralized dashboard for creating and managing all signing keys. This feature enables you to create and control the keys used to encrypt or digitally sign your artifacts - in one central location

Extended Flagging Safe Repositories Support

Declaring local and remote repositories as ‘safe’ by enabling the ‘Priority Resolution’ field for Local and Remote repositories has been extended to support Alpine, Bower, Conan, Conda, Cran, Go, Gradle, Ivy, Maven, Nuget, and SBT Packages.

Support for Controlling Signed URL Download Methods

You now have the option to set your signed URL redirects Direct Cloud Storage using one of these methods: S3, CloudFront, or using a direct download without a signed URL redirect. 

Distroless Scanning

Xray now can scan Google Distroless Images that only contain your application and its runtime dependencies.

Red Hat Vulnerability Scanner Certification

JFrog Xray is now certified with the Red Hat Vulnerability Scanner Certification. The certification recognizes Xray as a trusted Red Hat security partner.

30 April, 2021

Federated Repositories


The JFrog Platform enables you to create Federated Repositories, which support mirroring repositories and artifacts with JFrog Platform users located on remote JFrog Deployments (JPDs) in a multisite environment.

SCIM ID Management Support 

JFrog supports managing both users and groups, and the association between them using the SCIM protocol 2.0. 

Rest API Related Performance Improvement

Improved the performance when running the Scan Build API.

Distroless Scanning

Xray now can scan Google Distroless Images that only contain your application and its runtime dependencies.

Red Hat Vulnerability Scanner Certification

JFrog Xray is now certified with the Red Hat Vulnerability Scanner Certification.

Red Hat Packages Enhancements

Improved Red Hat packages scanning to support CPE matching to enhance Red Hat vulnerabilities detection. Xray also supports Red Hat Modules for better scanning of Red Hat OS packages.

Impact Analysis Performance Improvements

Improved the Impact Analysis performance significantly reducing the database server CPU and I/O levels.

Limit Storage Space Used by Indexer

You can now limit the storage space used by the Indexer microservice during concurrent downloads and extraction of artifacts ensuring used storage does not exceed the default usage. 

31 March, 2021

Projects in the JFrog Platform


JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. 

SCIM ID Management Support 


Using the SCIM protocol 2.0, JFrog enables customers to create, remove, and disable user accounts from their choice of user management tool and automatically update the platform with these changes. 

HashiCorp Vault Integration with the JFrog Platform


The JFrog Platform integration with Vault enables you to configure an external vault connection to use as a centralized secret management tool.

AQL Search for Remote Repository 

Using AQL, you can now work with Remote Repositories.

Artifact Browser with More Filters and Advanced SetMeUp

Introducing new filters and improved SetMeUp capabilities in the Artifact Browser available to all new users and those upgrading from previous Artifactory versions. This new view and capabilities are now the default Artifact Browser view in the JFrog Platform.

Xray in Projects


Use Xray capabilities in the scope of JFrog Projects. Offload and delegate Xray tasks to the different personas in your organization, such as assigning Xray security management capabilities to Project Admins on the scope of their specific projects.

Pipelines in Projects


Use Pipelines capabilities in the scope of JFrog Projects. Offload and delegate Pipelines tasks, such as adding integrations, pipeline sources, and node pools, to Project Admins on the scope of their specific projects.

PrivateLink for AWS Cloud

The MyJFrog Cloud Portal enables customers to establish a secure network connection from their cloud account into their JFrog Cloud instance, without going through a public Internet, by Setting up AWS PrivateLinks

Cargo Packages Support 

Artifactory natively supports Cargo Registry for the Rust language giving you full control of your deployment and resolve process of Cargo packages. Cargo downloads your Rust package's dependencies, compiles your packages, makes distributable packages, and uploads them to, the Rust community’s package registry. You can contribute to this book on GitHub.

Expanded Supported for Priority Resolution for Nuget Packages 

You can now declare local and remote repositories as ‘safe’ by enabling the ‘Priority Resolution’ field for Local and Remote repositories. Setting Priority Resolution takes precedence over the resolution order when resolving virtual repositories (currently supported for Docker, PyPI, RubyGems, NPM and Nuget packages).

Xray CVSS v3 Scoring Support

Xray now supports CVSS v3 scoring in addition to the CVSS v2 scoring. This will ensure that Xray's scoring of vulnerabilities is up-to-date and provide the latest universally standard severity ratings of vulnerabilities.

Xray Conan and C/C++ Support

Xray can now scan Conan Packages deployed to Artifactory. Xray can also scan C/C++ dependencies as part of a build.

Enhancements to HelmDeploy Native Step

HelmDeploy native step has been enhanced to support the input resources filespec and buildinfo.

Onboarding Wizard for Pipelines

The Pipelines UI now includes an onboarding wizard to help new users get started with adding an integration, a pipeline source, and a node pool.

Environment Variables Configuration Improvements

It is now possible to add a description and configure the possible list of values for environment variables when creating a custom run configuration. 

Search/Filter Capability

Pipeline and run views now include search and filter capabilities, which enable you to quickly search pipelines by name and filter them by status. 

Support for Extensions in Windows Node

Pipelines nodes now support Windows operating system. Windows can be set as a platform while adding Extension resources and steps

Pipelines in Projects

Pipelines capabilities are now supported in the scope of JFrog Projects.

28 February, 2021 

Enhanced Folder Download Functionality 

The 'Folder Download' feature is now aligned with the JFrog CLI and supports downloading empty folders. 

Additional Webhooks for Distribution

Added new events for Destination, which enables you to trigger events when a Release Bundle was received on an Edge node, and when a Release Bundle deletion process has started, completed successfully, or failed.

Quick Repository Setup

Admins can now use the Quick Setup to create repositories for selected package types in one go. With a couple of simple steps, admins can create local, remote, and virtual repositories for single or multiple package types.

Impact Path Data in Reports

You can now view the Impact Path data in the Due Diligence Licenses Report in the Get Due Diligence Report Content REST API and JSON and CSV outputs.

31 January, 2021

New REST API to Restore Ignored Violations 

Introduced a new Restore Ignored Violations REST API, which allows you to restore violations that were ignored due to defined Ignore Rules.

Impact Path Data in Reports

You can now view the Impact Path data for Vulnerabilities and Violations reports in JSON and CSV outputs.

Time-based Ignore Rule Filter for REST API

Filter and sort the Ignore Rules by expiration date using the Get Ignore Rules, such as time-based rules that will expire before or after a specific date. You can also sort Ignore Rules by expiration date.

View Ignored Violations in the Violations Report

You can view ignored violations data in the Violations Report including the Ignore Rule ID that can be used in REST APIs.

Reports Enhancements

Xray Violations and Vulnerabilities reports now include additional information regarding the severity received from the Red Hat OS advisory board. This information will be included in the CSV and JSON export formats of the reports.

31  December, 2020 

Central P2P Peer Management in the JFrog Platform

JFrog Subscriptions: ENTERPRISE+

You can now modify and manage all the Peer-to-Peer(P2P) Downloads centrally by storing the configurations in the JFrog Platform.

Advanced patterns supported for Docker Virtual Repositories

Extended Ignore/include patterns for Docker Virtual Repositories.

Sizing Improvement   

Improved the performance of the Xray Data tab in the UI.

Time-based Ignore Rule Enhancement

Time-based Ignore Rules enables you to set an expiration date for an Ignore Rule in which the violation will be ignored until the Ignore Rule expires.

Ignored Violations Stored in the DB

All ignored violations are now stored in the DB which enables you to view all ignored violations on the artifact, build, and Release Bundle level.

UI Enhancements

The UI now provides more information about an ignored violation in the different screens, including in the violations list for an artifact, build, and Release Bundle.

Export Components Details API Enhancement  

Added the include_ignored_violations parameter to Export Component Details. This will return the ignore rule ID per matched policy.


30 November, 2020

Hardened the User Login Messages 

User Login messages have been modified to provide consistent responses on enumeration attempts to prevent the disclosure of valid accounts. 

Helm V3 Support

Artifactory now supports Helm 3 clients, enabling you to deploy and resolve Helm Charts using Helm V2 and V3 clients.

OCI Support

Artifactory is now OCI-compliant and supports OCI clients, providing you with the ability to deploy and resolve OCI images in Docker Registries (the OCI client Singularity is not supported). 

Improvements to RubyGems Indexing for Local Repositories 

Added Bundler Compact index support for Local repositories for RubyGems providing you with the latest version of the package that is compatible with your installed Ruby version of the project. To use this new capability, in the file, set the artifactory.gems.compact.index.enabled=true value.

Docker Registry Alignments in Artifactory to Meet Latest Docker Rate Limits.    

Docker Registry functionality is now optimized in JFrog Artifactory to accommodate the latest Rate Limit changes announced by Docker. 

Improved Indexer Functionality 

Enhanced the indexer functionality with improved classification of artifacts and identification of complex cases, such as identifying inner components within other components.

Build Scanning Improvement

Improved the build scanning process by having Xray only download artifacts from Artifactory that are part of the build in which Xray can scan them to save resources and time.

Violations Report

Introduced the new Violations report, which provides you with information on security and license violations for each component in the selected scope.

Ignore Rules 

Enhanced the Ignore Rules feature functionalities, including the ability to set granularity on a defined Ignore Rule. All of the Ignore Rule functionalities are supported via the REST API


31 October, 2020 

New JFrog Platform Onboarding Experience

We have introduced a new Onboarding experience in the web UI for Admin users. This new interactive experience guides the user through the essential onboarding steps to get started with the JFrog Platform.

Verify Audience Restriction Applied for SAML SSO  

The verifyAudienceRestriction attribute for SAML SSO has been set up by default to validate SAML SSO authentication requests.

Improved Maven Plugin Metadata Calculation

Maven plugin metadata is now calculated for every deploy or delete actions.

Alpine Package Support in Xray

Xray now scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information. 

Python Package File Format Support

Xray now supports the indexing of Python files (PyPI) inside .tar, .gz, .tgz, .whl, and .egg file formats.

Support PHP files in *.tar Archives

Xray now supports PHP files inside *.tar archives.

New Metadata REST API

Added a new Resend Artifacts Metadata REST API that enables administrators to resend artifact metadata to the Metadata Server.

Due Diligence Licenses Report

Introduced the new Due Diligence Licenses Report, which provides you with a list of components and artifacts and their relevant licenses enabling you to review and verify that the components and artifacts comply with the license requirements. 

30 September, 2020

Peer-to-Peer (P2P) Download 

JFrog Subscriptions ENTERPRISE +

The new JFrog Peer-to-Peer (P2P) Downloads feature allows hosts to download artifacts from local, remote, and virtual repositories through a local network of peers in addition to downloading artifacts from JFrog Artifactory. 

GraphQL API for the JFrog Platform Metadata

JFrog's Metadata Service public APIs are now enabled allowing you to query the entities from the metadata server with GraphQL

Viewing and Tracking Non-Revocable Access Tokens   

You can view and track non-revocable Access Token in the UI, and filter by its revocability as well as its expiry.

Changes in Artifactory to Facilitate the New Docker Rate Limit

Artifactory has made improvements to support the usage of Remote Docker Repositories opposite Docker Hub, while taking into account the new Docker rate limits.     

Docker Remote Repository Improvements 

Docker Schema 2 is now fetched from the remote registry if no header was sent. This improves the Docker experience when the metadata expires.

Docker Pull Performance Improvements

Improved the performance of Docker pull requests by digest and tag by using more efficient queries and better utilizing the internal caching when serving Docker pull requests.

License Detection Improvements

Improved license detection performance and success rate to reduce CPU utilization.

31 August, 2020

Vulnerabilities Report

You can now create and generate a Vulnerabilities report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. 

Manage Reports User Role

A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE.

Multiple License Permissive Approach

This new approach enables you to have more flexibility in the policy level by configuring a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed. 

31 July, 2020


Users can be Assigned the Manage Resources Role  

Admins can assign users that have the Manage Resources role to manage resources, including creating, editing, and deleting permissions on any resource type including Pipeline resources (Integration, Source, and Node Pools).

GraphQL Version Released in the JFrog Platform  

JFrog's Metadata Service has now enabled the integration of the metadata server with a version of GraphQL public API.  

Improved LDAP Pagination Support Usage 

Added the Used Page Results parameter in the LDAP page to support LDAP Group pagination. This is supported for LDAP servers with more than 1000 groups which support groups pagination to allow admins to use paged LDAP results. 

Persistent Expiry Threshold Token

Added the new persistent-expiry-threshold parameter allowing you to set the minimum value of expiry of a token in order for the token to be saved in the DB to the Access YAML Configuration file.

Improved Permissions Cache Invalidation

 Minimized the scope of the invalidation action to only permissions associated with the specific service that needed the cache to be cleared. This allows shorter login times and better permission validation performance.


Indexing Improvements for Npm Packages  

Implemented incremental indexing as part of the existing npm indexing mechanism resulting in reduced time to build the package index.

30 June, 2020

Multi-factor Authentication

JFrog Subscriptions ENTERPRISE+
Administrators can enable Multi-factor Authentication for all users, which will require users to provide a verification code from a third-party authentication application every time users log in. 

Event-driven Webhooks  

The Webhooks feature enables you to send important events in Artifactory, (such as Artifact Deployment or Build Deployment) to applications that are configured by setting a URL.

Alpine Linux Repository Support

Artifactory now natively supports Alpine Linux repositories, giving you full control of your deployment and resolution process of Alpine Linux (*.apk) packages.

Enhancements for Webhooks Events

Introduced a few fixes to Webhooks events, such as adding a build_started field to the Build events, additional fixes to Docker events, and improved payload data.

Artifactory Connection Management

Improved the process of Xray's active connections to Artifactory, by limiting the number of concurrent HTTP client connections.

Repository Scan Improvement  

Indexing requests of Artifacts that were initiated from an index repository request are no longer persisted in the Artifactory database, thus reducing the network and database load.  


31 May, 2020

Artifactory Cloud with CDN Distribution

Artifactory supports a fully integrated advanced CDN Distribution removing the need to deal with the complexity of setting up a separate external CDN Caching system allowing you to manage, control, and distribute high volumes of software distribution across multiple locations.

Support for Signed URLs

Users with administrator or manage permission can now generate a signed URL that provides temporary shared access to a specific artifact, using the Create Signed URL REST API, or replace the key for signing and validating by using the Replace Signed URL Key REST API.

Support for RHEL 8 AppStream  

Enhanced Deploying RPM Modules by supporting Red Hat Enterprise Linux 8, which contains support for enhanced Yum metadata for AppStream (RHEL8) or Modularity (Fedora) technology used in RHEL8. 

Generate Maven POM File REST API

You can now Generate Maven POM File using the Artifactory REST API. 

Xray Block Unscanned Artifacts Timeout Policy   

You can now define a timeout policy for unscanned artifact download requests. 

30 April, 2020

Create Admin Access Tokens from within the UI

Administrators can now Generating Admin Tokens, for any of the services in the JFrog Platform directly from the UI.

Go Private GitHub Repositories Support 

You can now create a remote Go repository and proxy Go modules and configure Artifactory and Go client to work with GitHub private repositories.  

Conda v2 Format  

Artifactory now supports the Conda v2 metadata format. You can now use Conda clients from version 4.7, and download/upload Conda v2 format packages from all repository types (local, remote and virtual).

Debian InRelease

Added support for Debian InRelease metadata files. Artifactory will now produce an InRelease metadata file in the repository when working with GPG signing. 

Force Full Reindex of Existing Components Rest API

The new Force Reindex Rest API command allows you to easily re-index artifacts that were indexed in the past. 

Added Dedicated Policy REST API V.2 Commands

Xray now supports REST API Policy commands for both V.1 and V.2 The V.2 commands support blocking Release Bundles and allows you now to notify Watch recipients and File deployers. See Xray REST API for details.

31 March, 2020

PAT (Personal Access Token) Support for Remote Repository Authentication  

Artifactory now supports remote repository authentication using Personal Access Tokens (PAT), in addition to basic authentication, enabling you to strengthen your Artifactory security practices.

LDAP Improvements

Artifactory now supports a new type of Active Directory Nested Groups search, which enables performance improvements when working with LDAP. 

Restricting System and Repository Imports.  

Artifactory allows admin users to import and export data at both the system level and the repository level. 

Support for Matrix-params with Conan Repositories

Artifactory now supports matrix parameters for Conan repositories. As a result, the Build Info for Conan packages uploaded to Artifactory SaaS is now available.

28 February, 2020

JFrog Container Registry 7.0  

JFrog Container Registry 7.0 has been released. The JFrog Container Registry provides a set of features that have been customized to serve the primary purpose of running Docker and Helm packages in a Container Registry.


12 January, 2020 - Initial JFrog Platform GA

This section describes the general availability release for the initial JFrog Platform, including the general and JFrog product-specific changes applied in the JFrog Platform for Cloud (SaaS) users.

  • JFrog Artifactory 7.0

  • JFrog Xray 3.0

  • JFrog Mission Control 4.0

  • JFrog Distribution 2.0

  • JFrog Pipelines 1.0

JFrog on-prem customer?

If you an on-prem user, check out what's new on-prem.

Advanced Cloud Environment Settings

Dedicated Cloud NAT IPs Used in the JFrog Platform 

Cloud customers that have previously set up whitelisting on their external services (such as LDAP and SAML) to support communication between their external services and JFrog Cloud, need to update their Allow list according to this updated JFrog's Cloud NAT IP list.

Features and Functionality

Unified Experience

The user interface provides a consistent experience across all JFrog products. It is designed to support the most commonly used workflows, including improved package management, security and compliance, and package distribution, continuing to provide you with full flexibility. To support this experience the internal architecture (defined as a JPD) is designed to provide JFrog users with the same user experience across the JFrog products that have been installed.

To support the different user workflows, the UI is divided into two main modules:

  • Application Module providing an easy to use interface for viewing your packages, builds and artifacts in Artifactory. Including Xray security vulnerabilities and violations, Dashboard topology and trends, Distribution release bundles and Pipelines DevOps automation.

  • Administration Module providing a consolidated place for configurations of all JFrog products (common and product specific). Including centralized settings, such as monitoring (storage, replication, service status), security and compliance, proxies, license and user management. As well as, property sets, backups, indexed resources, database sync and webhooks.

Both modules include an advanced search mechanism.

Flexible Permissions Model

Administrators get fine-grained permissions control over how users and groups access the different resources (repositories, builds, Release Bundles, destinations).

Security and Compliance Across Your DevOps Pipeline

Fully integrated into the JFrog Platform, JFrog Xray protects your artifacts, repositories, builds and release bundles across the entire CI/CD pipeline.

  • Get JFrog's vulnerability database that is continuously updated with new component vulnerability data. Including VulnDB, the industry's most comprehensive security vulnerability database.

  • Identify security vulnerabilities and license violations according to your organization's needs. A dedicated Security and Compliance section in the UI allows you to set policies and watches on all your JFrog resources.

  • Configure watches and policies with the option to block artifact download, Release Bundle distribution to Edge nodes, and even break Builds.

  • Use advanced filtering that allows you to configure include /exclude patterns when setting indexed resources or when setting a Watch on the resources.

Secure Distribution Process

Manage the creation and distribution of Release Bundles to your Artifactory Edge Nodes. Gain better visibility and traceability into your distribution process with a complete view of all contents and package references of your Release Bundles.

User Interface

The following table is a quick reference to common functionalities in the JFrog Platform, including their new locations and any functional changes.

JFrog Product


Location in the New UI



Custom Base URL

Date Format

Look and Feel Settings

Custom Message

Administration module | General | Settings

Dedicated Artifactory Settings

Administration module | Artifactory

General: Settings, Property Sets
Services: Maven Indexer
Security: Anonymous access, Revoke API Keys, Signing Keys, Trusted Keys, Certificates


Xray Permissions

Administration module | Identity and Access | Permissions

As part of the JFrog Platform permissions unification, permission targets that were previously separated per product are now represented as one permission target with multiple permission options for the different JFrog products. Changes include:

  • Manage Components is now  Manage Xray Metadata

  • View Components is now included in the Read permission

As part of the permission migration process:

  • Users/Groups with Xray Admin and Artifactory Admin permissions will be converted to Administrators in the JFrog Platform. 

  • Users/Groups with only Xray Admin permissions will be converted to have Read, Manage, Manage Policies and Manage Watch permissions on all the resources.

Administration module | Identity and Access | Users

Administration module | Identity and Access | Groups

  • Manage Policies and Manage Watches are now a global permissions that are enabled on the user or group level. Previously this was a permission option in the permission target.

  • View Watches is now integrated with the Manage Watches global permission. It is not available as a separate permission.

Policies and Watches

Application module  | Security & Compliance 

  • Manually invoking a re-scan of a watch will apply on all resources defined in the watch. Previously you could set the re-scan on part of the resources.

Dedicated Xray Settings

Administration module | Xray

General: Indexed Resources, Webhooks, Integrations

Deprecated Features

JFrog Product



  • License Control is deprecated. Its functionality is included in the Xray integration and provides richer information and support for additional package types.

  • Stash Search Results: allowing you to save your search results and go back to them later, has been removed.

  • HTTP Requests Are No Longer Supported: as part of hardening our cloud security policy in the JFrog Platform, we no longer support non-secure HTTP traffic requests and have enabled HSTS strict headers which will cause all HTTP requests (including browsers) to be automatically redirected to HTTPS.

    It is recommended to use all HTTPS for all your requests.
    Please note that you will receive a 308 response code if you still decide to use HTTP. 

    Also, we deprecated the Legacy TLS 1.0 and 1.1 versions and it effectively enforces the cipher suite floor as well.


  • Out of the box integrations: with Aqua, WhiteSource and Black Duck, are deprecated. Custom integration are still available, supporting integrating to any external source of your choice. The VulnDB integration, now transparently integrated into Xray, provides the industry's most comprehensive security vulnerability database. This eliminates the need for these out of the box 3rd party integrations.

  • Xray Homepage: as part of the JFrog Platform UI unification, this page has been removed.


Internet Explorer

The Internet Explorer browser is not supported in the JFrog Platform. For a list of supported browsers, see Browsers.

Breaking Changes



JFrog Artifactory

  • Viewing Packages/Builds/Release Bundles: The UI will only load only up to 100 results and up to 100 versions per package/builds/Release Bundle. 

  • Removal of support for non-SNI clients
    For improved network security, support for non-SNI (Server Name Indication) clients is removed. If you are using HTTP clients that do not support SNI, your requests for download/upload will fail. To avoid failures, make sure to upgrade your clients to an officially supported version. 

  • Required support for 302 HTTP Redirects
    Download requests using clients that do not support 302 redirects will fail in most cases for the following list of package types. To avoid failures, make sure to upgrade your clients to a version that supports 302 redirects.
    Docker, Debian, Npm, RPM, Generic, Bower, Composer, Conan, Cran, Git LFS, Gradle, Helm, Maven, Pypi and Vagrant.

    See example use case hereSee list of approved client versions here.

  • Deprecated domain
    Following previous notifications regarding the deprecation of the domain, backward compatibility for the deprecated domain will no longer be maintained. If you are still using to access your cloud services, please make sure to use instead.

  • Egress Traffic Whitelisting
    If you are limiting egress traffic from your network to JFrog Cloud services on AWS, or you have applied such a setting on any of your nodes that are accessing JFrog Cloud services, make sure to extend the list of whitelisted IPs to include the AWS S3 IP ranges.
    Continue to get updated with the latest AWS IP address range changes.

JFrog Xray

  • Component Search: searching for components that are not artifacts in your Artifactory instance, but are known to Xray as a result of its recursive scan capability. This functionality will be available in later JFrog Platform releases.

  • Xray Permissions

    • The Manage Watch permission is now available as a global permission on the user/group level. Previously manage watches was an option per permission target that was defined with a scope of resources. Now, users/groups with the Manage Watch permission will enable permissions for all resources. When upgrading to the JFrog Platform, the permission conversion will remove the Manage Watch permission for all users and groups. After upgrading, this permission will need to be reconfigured for all required users and groups. Defining a scope will be available in later JFrog Platform releases, as part of the Projects functionality.

    • The View Watches permission is deprecated. To view watches, enable the Manage Watches permission option for users/groups.

REST API Changes

New shared base url for all JFrog services

The JFrog Platform release introduces a new unified way to access all JFrog services using a single url, using the following format:

https://<Server Name><Service Context>/

For example:

For backward compatibility, JFrog Artifactory and Xray will continue to work as before:

https://<Server Name><Server Name> https://<Server Name>

The following table summarizes the list of changes from previous JFrog products versions to the JFrog Platform.

JFrog Product







Copyright © 2023 JFrog Ltd.