31 May, 2022
| New On-Demand Scan REST API | Introduced a new REST API that will enable you to delete on-demand scanning results using the JFrog CLI. |
Operational Risk Reports | You can now generate Operational Risk reports as one of the Xray report types. In addition, you can also view Operational Risk violations in the Violations report type. | |
TriggerPipeline Native Step (Beta Version) | The TriggerPipeline native step will trigger another step and wait for the resulting run to complete before continuing. This enables you to embed another pipeline inside your existing pipeline. A new integration called JFrog Platform Access Token Integration has been introduced to support this feature. | |
System-level Control Setting for Non-root Users | Pipelines admins can now use a system-level setting to enforce use of only those node pools that are configured with non-root. When the enforceNonRootNodes global setting is set as true, it takes precedence over the non-root user setting configured in the UI (currently supported only in Ubuntu 18 and Ubuntu 20). | |
Trigger Pipelines API | Introduced a new API to trigger a pipeline that enables you to:
|
30 April, 2022
| Full JFrog Support for Terraform Packages | JFrog provides a fully-fledged Terraform repository solution, which gives you full control of your deployment and resolution process of Terraform Modules, Providers, and Backend packages. This solution includes both the Terraform Registry and the Terraform Backend Repository in the JFrog Platform. |
Token Enhancements | Scoped Admin Access Tokens: From Artifactory release 7.38.4, JFrog enables companies to create their own admin-scoped access token without using the JFrog Platform UI or via another token. New Identity Token Format and API Key Replacement: Artifactory release 7.38.4, includes a new Identity Token format, also called a Reference Token, which can also be used to replace the API Keys that will be deprecated in a future version. The new Reference Token includes an option to create a "shortened," 128-character key, thereby providing an alias for the Identity Token. | |
Added PKCE Support for OAuth Integrations | Artifactory now supports enabling the PKCE extension over OAuth to gain an additional level of security and serves as an alternative to the basic Secret mechanism. By selecting the | |
Enforce Internal Dynamic Search of Attributes in LDAP Groups | Introducing the new functionality for the LDAP group dynamic strategy, which enforces dynamic internal search of attributes in a group by setting the | |
Maven Non-Preemptive Authentication for Local, Remote, and Virtual Repositories | An enhanced Maven authentication mechanism has been implemented in Artifactory to eliminate the need to perform authentication prior to checking if a package is located in local, remote and virtual repositories. With the new authentication mechanism, when reaching Maven-local-three (which requires authentication), instead of first performing for authentication and next authorization, Artifactory will check if the requested item is located in the repository. If the requested package does exist, it will proceed to perform authentication and authorization. If not, a 404 error message will be triggered. | |
Anonymous Users can be Routed to Login Page by Default | To provide anonymous users in the JFrog Platform with an improved navigation experience, you can set all anonymous users to be routed to the Login page by enabling the new 'Set the Login page as the start page' on the Anon User page. | |
GAVC Search REST API Supported on Virtual and Remote Repositories | Maven users can now search by Maven Coordinates (GAVC: GroupID, ArtifactID, Version, Classifier), on remote and virtual repositories, in addition to the existing support for local repositories. For more information, see the new parameters added to the GAVC Search REST API. | |
Added Support for Custom Ports to be Exposed on the NGINX Pod | As part of the alignment of the JFrog Platform with the conventional Kubernetes YAML syntax for container ports, we have added support for comments in the values.yaml file. It is self-explanatory as it is traditional Kubernetes YAML syntax and allows you to pass additional ports other than HTTP and HTTPS port to Nginx deployment and service in the values.yaml file. | |
New Webhook to Support Pull Replication from Remote Repositories | The newly added 'Cache' webhook event is triggered for Pull Replication events occurring opposite remote repositories. Note that for push replication, you should use this 'Deployed' event. For more information, see the Domain Artifact section. | |
Extended the Priority Resolution feature to Support RPM Packages | You can now declare local and remote repositories as ‘safe’ by enabling the ‘Priority Resolution’ field for Local Repositories and Remote Repositories for RPM packages. | |
| Support for Components Operational Risk | Xray can now provide information about the operational risk of using open source software components. These include the risk of using outdated versions or inactive open source software components in your projects. In the current version of this release, we provide operational risk information for Maven and npm packages. |
31 March, 2022
| Artifactory as Your Symbol Server | Cloud customers can now benefit from the following advanced Symbol Server features:
|
Build-Info Repositories can be Shared Across Federated Repositories | The Federated repository feature has been expanded to support adding Build-Info repositories as federated members within a Federation using a dedicated Convert Build-Info Repository to a Federated Repository command . | |
| Components Physical Path | Xray now displays the physical path (location) of a vulnerable component in an artifact. This information is displayed in the impact path graph within the CVE, export formats of Xray scans, and in the Violations and Vulnerabilities Xray Reports. |
Exclude Violations with No Available Fixed Version | Introducing a new capability in Xray Policies, whereby you can set a policy rule to not generate violations for security issues that do not contain a fixed version. This new capability will help you improve your security workflow in enabling you to exclude violations at the Policy level, by not failing builds for issues that do not contain a fixed version. Whenever a fixed version is available, the violation will be generated. | |
Rootless Docker Support | Pipelines now supports rootless docker for Ubuntu18/20 build nodes (AWS/GCP - Ubuntu 18/20, Azure - Ubuntu 20, Static nodes - Ubuntu 18/20). Rootless docker helps prevent providing the Docker container root access. | |
HelmDeploy Native Step Enhancement | The HelmDeploy native step now allows both HelmChart and GitRepo as input resources at the same time. | |
Run Variables as Build Parameters | This enhancement enables run variables to be used in variable placeholders in the build parameters of a Jenkins step. |
28 February, 2022
| Announcing the Integration Microservice | Released the new Integration micro-service (as part of the JFrog platform), which is responsible for third-party authentication and event registration. |
Binding Tokens | Introducing a new type of access token called a binding token, which allows trust to be bi-directional. Binding tokens provide a full self-service for Cloud Enterprise customers that can build customizable binding to the other JPDs on their own. | |
Federated Repositories Now Supported for Cloud Customers | With this release, using the new Binding Tokens, you can set up Federated Repositories in a JFrog Platform Cloud environment. | |
Elasticsearch Improvement | Empty indices in Elasticsearch are now automatically cleaned up when the Elasticsearch reaches the maximum number of allocated shards. | |
| CVE Enrichment REST API Support | The JFrog Security CVE Research and Enrichment feature is now supported in additional REST APIs. See Xray Release Notes for details. |
31 January, 2022
| JFrog Projects Feature is Available to All JFrog Users | JFrog Projects is a management entity for hosting your resources and for associating users/groups as members with specific entitlements. Using projects helps Platform Admins to offload part of their day-to-day management effort and to generate a better separation between the customer products to improve customer visibility on efficiency, scale, cost, and security. |
Pub Repository Support | Artifactory now natively supports Dart packages, giving you full control of your deployment and resolution process of Flutter, Angular Dart, and general Dart programs, which means that you can create secure and private local Pub Repositories with fine-grained access control. | |
High Availability in PostgreSQL Database | Artifactory introduces the ability to set up PostgreSQL databases in an high availability configuration to be used as the Artifactory database. | |
Priority Resolution Supported on Federated Repositories | Added support for setting Priority Resolution on Federated repositories. Setting Priority Resolution takes precedence over the resolution order when resolving Federated repositories and will cause metadata to be merged only from repositories set with this field. If a package is not found in those repositories, Artifactory will merge metadata from the repositories that have not been set with the Priority Resolution field. | |
Garbage Collection Improvements | To improve Garbage Collection performance, you can now disable size-based ordering of the GC query. As a result, artifacts will not necessarily be deleted from largest to smallest. | |
Introducing npm SHA512 Support | From npm version 500, all npm packages published to Artifactory will support both SHA512 and SHA1 while using the strongest algorithm available, which will result in improved performance, robustness, and enhanced fault-tolerance. | |
| Generate Software Bills of Materials (SBOM) Report | Xray now can generate an Xray SBOM Report in both SPDX and CycloneDX standard formats. This will help DevSecOps teams to identify the software components in use, their dependencies, and associated license risks if any. |
On-Demand Binary Scan Docker Support and New UI | The Xray On-Demand Binary Scan using the JFrog CLI now supports scanning Docker images. You can run an ad-hoc scan of a Docker image without uploading it to Artifactory first. You can also view the On-Demand Binary scans that run using the JFrog CLI as part of the Xray UI in the JFrog Platform. | |
Xray Data Retention | Improve Xray performance and data usage by selecting which artifacts are important to scan and how long to retain their Xray data. | |
Sensitive Data Masked | Sensitive content from Project integrations is now masked in the console logs. | |
Metrics Data | Pipelines now provides a new Metrics API, which can be used to get metrics data for Pipelines, such as CPU, memory, number of pipelines per project, and more. | |
Pipelines Utility Functions Export | Pipelines utility functions are now exported. This means they can be called from scripts that are invoked from the build script without having to use the 'source' command. |
31 December, 2021
| Artifactory Edge Node Support | Insight now supports Artifactory Edge nodes and shows information from Artifactory Edge nodes in the dashboard and trends. |
Support for Personal OAuth SSO | JFrog Cloud can now also join through an invite, and to then log in using Personal OAuth such as Google or GitHub. | |
New Integration for JFrog Artifactory with Amazon's Elastic Cloud Kubernetes (EKS) Anywhere | Amazon's Elastic Cloud Kubernetes (EKS) Anywhere is a new deployment option for Amazon EKS, which allows customers to create and operate Kubernetes clusters on customer-managed infrastructure, supported by AWS. The deployment of JFrog Artifactory on Elastic Cloud Kubernetes (EKS), EKS Anywhere uses Helm Charts to leverage the AWS License Manager. | |
JFrog Projects Feature is Available to All JFrog Users | The JFrog Projects feature is now supported on all JFrog Subscriptions. JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. Projects simplify the onboarding process for new users, create better visibility for LOBs and project stakeholders. | |
S3 with Storage Sharding Support | Artifactory introduces S3 Sharding template ( | |
| Custom VM Image | Pipelines now supports creating custom VM images. A custom VM image enables you to use your own image as a node in Pipelines, including all the customizations you made when you created the image. |
Share Node Pools across Projects | Project admins can now share node pools across multiple projects to allow members in more than one project to use them. A node pool can be shared with a single project or across multiple projects. | |
Change Machine Type in Dynamic Nodes Pool | Pipelines now supports changing machine image type in dynamic node pools. | |
Pipelines in Search Toolbar | Added the ability to select Pipelines and to search for pipelines using the main search toolbar. The search can be filtered using Name, Branch, Triggered Before, and Triggered After. | |
New Canvas and Butterfly Graphs | The graph view in Pipelines has now been updated to use canvas and butterfly graphs to provide a much smoother and faster experience. |
30 November, 2021
| New Hybrid Solution Provided through the Distribution Edge | The JFrog Distribution Edges Add-on is a commercial offering for self-hosted customers to leverage JFrog SaaS for software distribution, by enabling self-hosted customers to add cloud-based Edge nodes managed by JFrog (software-as-a-service) and to fully utilize them for content distribution. |
New Pairing Token UI | A new pairing token has been added to the JFrog Platform, which establishes trust between different JFrog microservices. The pairing token is an access token that is used for the initial pairing flow. Because the token is a limited access token, it is dedicated to a specific task and short-lived. | |
External ID Added to Support Azure Active Users | To support Azure Active Directory users, the field | |
New PyPi Public Remote Registry Supported | For PyPi users, Artifactory now supports the public remote registry. URL https://download.pytorch.org/whl/torch_stable.html. | |
| Jira Integration Dynamic Labels and Custom Fields | You can now use Xray-specific entities as dynamic labels and custom fields in your Jira issues. |
31 October, 2021
| Configurable Number of Remote Repositories in Remote Repository HTTP Connections Metrics | You can now configure the number of remote repositories to be shown in Remote Repository HTTP Connections of the Artifactory Performance trends (available with Artifactory Cloud (SaaS) version 7.28.x). |
Top 10 API Calls in Remote Repository Requests Metrics | Remote Repository Metrics has been enhanced to display the Top 10 API calls to the remote repository (available with Artifactory Cloud (SaaS) version 7.28.x). | |
Enabling Log Collection | The Log Collection Enablement feature enables customers to collect and download their application logs in a dedicated Logs Artifactory System Repository, to improve auditing capabilities. | |
| Scan Status | You can now get information on the scan status of resources in the Xray data tab of Packages, Builds, and Release Bundles in Artifactory. |
Scan Now REST API | Introducing a new Scan Now REST API that enables you to index resources on-demand, even those that were not marked for indexing. | |
New REST API for Scan Status | You can now check the scan status of Packages, Builds, and Release Bundles using the new Scan REST API. | |
| Provision Status for Node Pools | The node pools list view now includes a new column called Provision Status, which provides a color representation of the provision status for each node and color represents one of the stages in the lifecycle of a node. |
Carry Custom Configuration to all Steps in Pipeline Run | Custom configurations can configured at both the pipeline- and step-level. | |
LinuxVMDeploy Native Step | Introduced a new native step to support Blue/Green deployments on Pipelines, whereby the LinuxVMDeploy native step can upload files to VMs in a VmCluster resource and run commands on the VMs. | |
UploadArtifact Native Step | Introduced a new native step to upload artifacts to Artifactory using JFrog CLI. Optionally, it can also publish build information to Artifactory and trigger Xray Scans. | |
Support for Clone of Private Repos via HTTPS | Added support for cloning private repositories using HTTPS. Users can now toggle between SSH/HTTPS on their GitRepo resource, and when adding a new pipeline source. | |
Cancel One or More Runs | Enhancements in the UI to cancel single or multiple runs. Also, added the ability to cancel a run with a single API call. |
30 September, 2021
| JFrog Security CVE Research and Enrichment | Xray's integration with Vdoo introduces JFrog Security CVE Research and Enrichment, a new capability that provides additional CVE details by the JFrog security research team, which comprises security experts that perform manual research on CVEs and suggest a new JFrog Severity Score and a deep technical overview that allows you to better understand the actual risk posed by the CVEs. |
Xray Integration with Jira | Xray now can be integrated with Atlassian’s Jira Software, enabling the automatic creation of Jira tickets based on Xray identified security threats and violations. | |
| Initial release of Insight 1.0.1 | Insight 1.0.1 includes all the trends and charts previously available with JFrog Mission Control. |
New Dashboard Trends | Added a new trend, the Remote Repository Requests Metrics, which provides information on the status of remote repository requests, the performance of remote repository requests, and the Top 100 API calls. | |
Mission Control as a Microservice | From JFrog Artifactory version 7.27.3, Mission Control has been integrated directly into Artifactory as a service. You will no longer need to install Mission Control to use the features it provides, only to enable the service in Artifactory. |
31 August, 2021
| URL Normalization is Now Prevented for Remote Repositories | Remote repositories are now enabled with the new |
| Added Namespace Support for Helm Virtual Repositories | You can now assign namespaces to local and remote repositories in Helm virtual repositories, allowing you to explicitly state which aggregated repository to fetch. |
Build Info Supports Aggregated Builds | Aggregated builds are builds that contain multiple steps and can run on multiple machines. Aggregated builds are now represented by Build Info using the new ' | |
Builds Info REST API Displays the VCS Parameter | The VCS property is now displayed in the BuildInfo REST API response. | |
PHP Composer V2 Support | Artifactory supports PHP Composer V2 in addition to V1. From Artifactory 7.24, Local PHP repositories will automatically be created in V2, which supports faster download times and enhanced performance. | |
PHP Composer Drupal 7 and 8 Registry Support | You can now upload Drupal version 7 and 8 packages to PHP Composer remote repositories. | |
| Set a Grace Period before Failing Build | You can now set a grace period in a Policy for build failure, allowing you to stop a build from failing if violations exist, for the period of time you set (requires Artifactory version 7.25.x and higher). |
New Filter in Watches | Filter the Watches list in the Watches page in Xray to narrow down and display only Watches that are relevant to you (requires Artifactory version 7.25.x and higher). | |
Filter Ignore Rules | Use an array of different filtering options to narrow down the list of Ignore Rules by the filter criteria you select (requires Artifactory version 7.25.x and higher). | |
Xray Reports Clone | Create a clone of an existing report in Xray Reports to reuse a report and its defined settings, saving you the time of recreating reports that you use often. This feature requires Artifactory 7.23.x and above. | |
Release Bundle Details REST API | Added a new Release Bundle Details REST API that returns license and security violations found in a Release Bundle. | |
| Support for Helm Blue-Green Deployments | Introduced three new native steps to support Helm Blue/Green deployments on Pipelines for Helm deployments. This feature enables users to test releases in production before making them visible to users, while also providing a quick way to roll back changes if needed. |
Pipeline-level Integrations and Resources | When defining a pipeline's YAML, integrations, input resources, output resources, and affinity groups can now be defined in the pipelines configuration section to apply them to all steps in the pipeline. | |
Signed Pipelines Enhancements |
| |
Support for Adding Values Definition in the UI | When using a template, you can now add values definition for the pipeline source without pointing it to an SCM repository and define the pipeline source values directly in the UI. | |
Support for SSH/HTTPS Clone for GitRepo Resource | The GitRepo resource now includes a new tag that can be configured to use either SSH or HTTPS protocol when cloning a Git repository. | |
Branch Name in Run View | When working with multi-branch pipelines, the run view now displays a breadcrumb that includes the name of the branch being used and a drop-down that lists all the branches. | |
HTTPS Clone Support for BitBucket Server | Pipelines now provides HTTPS Clone support for BitBucket Server. | |
SMTP Credentials Integration Enhancement | Added a new option to the SMTP Credentials Integration called ignoreTLS that provides more flexibility when connecting with SMTP servers. |
31 July, 2021
| Additional Security Manager Role and Additional Scanning Capabilities in Project Functionality | The new security manager role enables a user to perform a wide range security-related project actions, as well as additional functionalities for Xray in Projects, such as generating Global Xray Reports for a Project scope and applying Global Watches to Projects. |
Docker Enhancements |
| |
New Outbound Repository Request Log | Announcing a new Outbound Remote Repository Request Log, which allows you to track every request initiated by a remote repository including requests related to replication. | |
Native Artifacts Browser Accessible from the UI | The Artifactory native artifacts browser, which allows browsing the contents of a repository in a plain HTML structured tree, is now available via the artifact URL or via the artifacts Actions menu, which means that authenticated users will not need to re-authenticate to access the native browser. | |
Support for Multiple HashiCorp Vault Connectors in the JFrog Platform UIJFrog Subscriptions: Enterprise with Security Pack | Enterprise+ | The JFrog Platform integration with HashiCorp Vault now enables you to configure multiple external vault connectors through the Platform UI. | |
Managing Multiple Signing KeysJFrog Subscriptions: Enterprise with Security Pack | Enterprise+ | JFrog Platform now enables you to manage multiple RSA and GPG signing keys through the Keys Management UI and REST API. | |
Generating an Identity Token through the Profile UI | The user profile now enables users to generate identity tokens, which means that any user can create a user identity token for themselves via the UI (or via REST API). Identity tokens are scoped tokens, providing limited and focused permissions, and when a user is deleted/disabled, their tokens are also revoked. | |
| Dependencies Scan | The Xray Dependencies Scan feature enables you to scan your source code dependencies to find security vulnerabilities and licenses violations, with the ability to scan against your Xray policies, using the JFrog CLI. |
On-Demand Binary Scan | Xray now provides on-demand binary scanning to address your needs using the CLI for fast results. You can point to a binary in your local file system and receive a report that contains a list of vulnerabilities, licenses, and policy violations for that binary prior to uploading the binary or build to Artifactory. | |
| Approval Gates | The Approval Gates feature enables you to insert a manual approval process for a step in a pipeline. Approvers can approve or reject steps, and receive Slack and e-mail notifications for steps that require approval. |
Improved Logs for Signed Pipelines | Pipelines will now post logs to step consoles when steps are getting signed. This will help users to identify the cause of failures during the process of signing a pipeline. | |
Conditional Workflow | The Conditional Workflows feature enables users to choose if a step executes or skips based on certain conditions set for the previous upstream step, which provides more flexibility in the execution logic of a pipeline. |
30 June, 2021
| Native Artifacts Browser Accessible from the UI | The Artifactory native artifacts browser allows browsing the contents of a repository in a plain HTML structured tree, so that authenticated users will not need to re-authenticate to access the native browser. The browser is available via the artifact URL or via the artifacts Actions menu. |
A New Outbound Repository Request Log | A new Outbound Remote Repository Request log that allows you to track every request initiated by a remote repository including requests related to replication. | |
Dynamic Release Bundle | Introducing the capability to create, sign, and distribute an ad-hoc release bundle. | |
Multiple GPG keys for Signing Release Bundles | Distribution now supports signing Release Bundles using Multiple GPG signing keys and not one key pair for all Release Bundles. This enables you to use different keys according to your organizational requirements. | |
Managing Multiple Signing KeysJFrog Subscriptions: Enterprise with Security Pack | Enterprise+ | The JFrog Platform now enables you to manage multiple RSA and GPG signing keys through the Keys Management UI and REST API. | |
Generating an Identity Token through the Profile UI | The user profile now enables users to generate scoped identity token. Any user can create a user identity token for themselves via the UI or via REST API. | |
Docker Enhancements | As part of our ongoing effort to provide the best Docker-related experience, we have introduced enhancements related to the Docker remote repository flow, added Docker Buildx support, and added support for promoting Docker images with a Docker manifest.list from one Docker local repository to another. | |
Improved Metadata Request Performance for Remote Repositories | Customers can now configure the | |
| Security Manager Role in ProjectsJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | The new Security Manager role can perform security-related project actions such as Manage Xray Data, Manage Reports, Manage Watches and Policies, and Ignore Global Violations. |
Generate Xray Reports on a Project ScopeJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | You can now generate Global Xray Reports for selected Projects for all report types in Xray. | |
Apply Global Watches on ProjectsJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | You can now apply Global Watches on specific Projects, enabling you to set rules and policies in the selected Projects. | |
Garbage CollectorJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | Xray's Garbage Collector feature enables you to avoid race conditions between delete/create events sent by Artifactory mainly when moving Artifacts and promoting images. | |
| Signed PipelinesJFrog Subscriptions: ENTERPRISE+ | A new verification system that determines which pipelines/steps generated a specific artifact. The signing process creates trust and provides a way to validate the immutability of the artifacts. |
31 May, 2021
| JFrog Platform Integration with HashiCorp VaultJFrog Subscriptions: ENTERPRISE WITH SECURITY PACK | ENTERPRISE + | The JFrog Platform integration with HashiCorp Vault now enables you to configure an external vault connection to use as a centralized secret management tool not only through the APIs but also using the JFrog Platform UI. |
JFrog Platform SCIM IntegrationJFrog Subscriptions: ENTERPRISE WITH SECURITY PACK | ENTERPRISE+ | JFrog Platform now enables you to generate a dedicated admin access token for SCIM in the JFrog Platform, which can then be used in the identity service setup. | |
Signing Keys ManagementJFrog Subscriptions: ENTERPRISE WITH SECURITY PACK | ENTERPRISE+ | The JFrog Platform now features a centralized dashboard for creating and managing all signing keys. This feature enables you to create and control the keys used to encrypt or digitally sign your artifacts - in one central location | |
Extended Flagging Safe Repositories Support | Declaring local and remote repositories as ‘safe’ by enabling the ‘Priority Resolution’ field for Local and Remote repositories has been extended to support Alpine, Bower, Conan, Conda, Cran, Go, Gradle, Ivy, Maven, Nuget, and SBT Packages. | |
Support for Controlling Signed URL Download Methods | You now have the option to set your signed URL redirects Direct Cloud Storage using one of these methods: S3, CloudFront, or using a direct download without a signed URL redirect. | |
| Distroless Scanning | Xray now can scan Google Distroless Images that only contain your application and its runtime dependencies. |
Red Hat Vulnerability Scanner Certification | JFrog Xray is now certified with the Red Hat Vulnerability Scanner Certification. The certification recognizes Xray as a trusted Red Hat security partner. |
30 April, 2021
 | Federated RepositoriesJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | The JFrog Platform enables you to create Federated Repositories, which support mirroring repositories and artifacts with JFrog Platform users located on remote JFrog Deployments (JPDs) in a multisite environment. |
| SCIM ID Management SupportJFrog Subscriptions: ENTERPRISE WITH SECURITY PACK | ENTERPRISE+ | JFrog supports managing both users and groups, and the association between them using the SCIM protocol 2.0. |
Rest API Related Performance Improvement | Improved the performance when running the Scan Build API. | |
Distroless Scanning | Xray now can scan Google Distroless Images that only contain your application and its runtime dependencies. | |
Red Hat Vulnerability Scanner Certification | JFrog Xray is now certified with the Red Hat Vulnerability Scanner Certification. | |
Red Hat Packages Enhancements | Improved Red Hat packages scanning to support CPE matching to enhance Red Hat vulnerabilities detection. Xray also supports Red Hat Modules for better scanning of Red Hat OS packages. | |
Impact Analysis Performance Improvements | Improved the Impact Analysis performance significantly reducing the database server CPU and I/O levels. | |
Limit Storage Space Used by Indexer | You can now limit the storage space used by the Indexer microservice during concurrent downloads and extraction of artifacts ensuring used storage does not exceed the default usage. |
31 March, 2021
| Projects in the JFrog PlatformJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | JFrog Projects is a management entity for hosting your resources (repositories, builds, Release Bundles, and Pipelines), and for associating users/groups as members with specific entitlements. |
SCIM ID Management SupportJFrog Subscriptions: ENTERPRISE with SECURITY PACK | ENTERPRISE+ | Using the SCIM protocol 2.0, JFrog enables customers to create, remove, and disable user accounts from their choice of user management tool and automatically update the platform with these changes. | |
HashiCorp Vault Integration with the JFrog PlatformJFrog Subscriptions: ENTERPRISE with SECURITY PACK | ENTERPRISE+ | The JFrog Platform integration with Vault enables you to configure an external vault connection to use as a centralized secret management tool. | |
AQL Search for Remote Repository | Using AQL, you can now work with Remote Repositories. | |
Artifact Browser with More Filters and Advanced SetMeUp | Introducing new filters and improved SetMeUp capabilities in the Artifact Browser available to all new users and those upgrading from previous Artifactory versions. This new view and capabilities are now the default Artifact Browser view in the JFrog Platform. | |
Xray in ProjectsJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | Use Xray capabilities in the scope of JFrog Projects. Offload and delegate Xray tasks to the different personas in your organization, such as assigning Xray security management capabilities to Project Admins on the scope of their specific projects. | |
Pipelines in ProjectsJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | Use Pipelines capabilities in the scope of JFrog Projects. Offload and delegate Pipelines tasks, such as adding integrations, pipeline sources, and node pools, to Project Admins on the scope of their specific projects. | |
| PrivateLink for AWS CloudJFrog Subscriptions: ENTERPRISE with SECURITY PACK | ENTERPRISE+ | The MyJFrog Cloud Portal enables customers to establish a secure network connection from their cloud account into their JFrog Cloud instance, without going through a public Internet, by Setting up AWS PrivateLinks. |
| Cargo Packages Support | Artifactory natively supports Cargo Registry for the Rust language giving you full control of your deployment and resolve process of Cargo packages. Cargo downloads your Rust package's dependencies, compiles your packages, makes distributable packages, and uploads them to crates.io, the Rust community’s package registry. You can contribute to this book on GitHub. |
Expanded Supported for Priority Resolution for Nuget Packages | You can now declare local and remote repositories as ‘safe’ by enabling the ‘Priority Resolution’ field for Local and Remote repositories. Setting Priority Resolution takes precedence over the resolution order when resolving virtual repositories (currently supported for Docker, PyPI, RubyGems, NPM and Nuget packages). | |
| Xray CVSS v3 Scoring Support | Xray now supports CVSS v3 scoring in addition to the CVSS v2 scoring. This will ensure that Xray's scoring of vulnerabilities is up-to-date and provide the latest universally standard severity ratings of vulnerabilities. |
Xray Conan and C/C++ Support | Xray can now scan Conan Packages deployed to Artifactory. Xray can also scan C/C++ dependencies as part of a build. | |
| Enhancements to HelmDeploy Native Step | HelmDeploy native step has been enhanced to support the input resources filespec and buildinfo. |
Onboarding Wizard for Pipelines | The Pipelines UI now includes an onboarding wizard to help new users get started with adding an integration, a pipeline source, and a node pool. | |
Environment Variables Configuration Improvements | It is now possible to add a description and configure the possible list of values for environment variables when creating a custom run configuration. | |
Search/Filter Capability | Pipeline and run views now include search and filter capabilities, which enable you to quickly search pipelines by name and filter them by status. | |
Support for Extensions in Windows Node | Pipelines nodes now support Windows operating system. Windows can be set as a platform while adding Extension resources and steps. | |
Pipelines in Projects | Pipelines capabilities are now supported in the scope of JFrog Projects. |
28 February, 2021
| Enhanced Folder Download Functionality | The 'Folder Download' feature is now aligned with the JFrog CLI and supports downloading empty folders. |
Additional Webhooks for Distribution | Added new events for Destination, which enables you to trigger events when a Release Bundle was received on an Edge node, and when a Release Bundle deletion process has started, completed successfully, or failed. | |
Quick Repository Setup | Admins can now use the Quick Setup to create repositories for selected package types in one go. With a couple of simple steps, admins can create local, remote, and virtual repositories for single or multiple package types. | |
| Impact Path Data in Reports | You can now view the Impact Path data in the Due Diligence Licenses Report in the Get Due Diligence Report Content REST API and JSON and CSV outputs. |
31 January, 2021
| New REST API to Restore Ignored Violations | Introduced a new Restore Ignored Violations REST API, which allows you to restore violations that were ignored due to defined Ignore Rules. |
Impact Path Data in Reports | You can now view the Impact Path data for Vulnerabilities and Violations reports in JSON and CSV outputs. | |
Time-based Ignore Rule Filter for REST API | Filter and sort the Ignore Rules by expiration date using the Get Ignore Rules, such as time-based rules that will expire before or after a specific date. You can also sort Ignore Rules by expiration date. | |
View Ignored Violations in the Violations Report | You can view ignored violations data in the Violations Report including the Ignore Rule ID that can be used in REST APIs. | |
Reports Enhancements | Xray Violations and Vulnerabilities reports now include additional information regarding the severity received from the Red Hat OS advisory board. This information will be included in the CSV and JSON export formats of the reports. |
31 December, 2020
| Central P2P Peer Management in the JFrog PlatformJFrog Subscriptions: ENTERPRISE+ | You can now modify and manage all the Peer-to-Peer(P2P) Downloads centrally by storing the configurations in the JFrog Platform. |
| Advanced patterns supported for Docker Virtual Repositories | Extended Ignore/include patterns for Docker Virtual Repositories. |
| Sizing Improvement | Improved the performance of the Xray Data tab in the UI. |
Time-based Ignore Rule Enhancement | Time-based Ignore Rules enables you to set an expiration date for an Ignore Rule in which the violation will be ignored until the Ignore Rule expires. | |
Ignored Violations Stored in the DB | All ignored violations are now stored in the DB which enables you to view all ignored violations on the artifact, build, and Release Bundle level. | |
UI Enhancements | The UI now provides more information about an ignored violation in the different screens, including in the violations list for an artifact, build, and Release Bundle. | |
Export Components Details API Enhancement | Added the include_ignored_violations parameter to Export Component Details. This will return the ignore rule ID per matched policy. |
30 November, 2020
| Hardened the User Login Messages | User Login messages have been modified to provide consistent responses on enumeration attempts to prevent the disclosure of valid accounts. |
| Helm V3 Support | Artifactory now supports Helm 3 clients, enabling you to deploy and resolve Helm Charts using Helm V2 and V3 clients. |
OCI Support | Artifactory is now OCI-compliant and supports OCI clients, providing you with the ability to deploy and resolve OCI images in Docker Registries (the OCI client Singularity is not supported). | |
Improvements to RubyGems Indexing for Local Repositories | Added Bundler Compact index support for Local repositories for RubyGems providing you with the latest version of the package that is compatible with your installed Ruby version of the project. To use this new capability, in the artifactory.system.properties file, set the artifactory.gems.compact.index.enabled=true value. | |
Docker Registry Alignments in Artifactory to Meet Latest Docker Rate Limits. | Docker Registry functionality is now optimized in JFrog Artifactory to accommodate the latest Rate Limit changes announced by Docker. | |
| Improved Indexer Functionality | Enhanced the indexer functionality with improved classification of artifacts and identification of complex cases, such as identifying inner components within other components. |
Build Scanning Improvement | Improved the build scanning process by having Xray only download artifacts from Artifactory that are part of the build in which Xray can scan them to save resources and time. | |
Violations Report | Introduced the new Violations report, which provides you with information on security and license violations for each component in the selected scope. | |
Ignore Rules | Enhanced the Ignore Rules feature functionalities, including the ability to set granularity on a defined Ignore Rule. All of the Ignore Rule functionalities are supported via the REST API |
31 October, 2020
| New JFrog Platform Onboarding Experience | We have introduced a new Onboarding experience in the web UI for Admin users. This new interactive experience guides the user through the essential onboarding steps to get started with the JFrog Platform. |
| Verify Audience Restriction Applied for SAML SSO | The verifyAudienceRestriction attribute for SAML SSO has been set up by default to validate SAML SSO authentication requests. |
| Improved Maven Plugin Metadata Calculation | Maven plugin metadata is now calculated for every deploy or delete actions. |
| Alpine Package Support in Xray | Xray now scans and indexes your Alpine Repositories and Alpine Packages, including recursive analysis, component graph integration, and providing detailed metadata information. |
Python Package File Format Support | Xray now supports the indexing of Python files (PyPI) inside .tar, .gz, .tgz, .whl, and .egg file formats. | |
Support PHP files in *.tar Archives | Xray now supports PHP files inside *.tar archives. | |
New Metadata REST API | Added a new Resend Artifacts Metadata REST API that enables administrators to resend artifact metadata to the Metadata Server. | |
Due Diligence Licenses Report | Introduced the new Due Diligence Licenses Report, which provides you with a list of components and artifacts and their relevant licenses enabling you to review and verify that the components and artifacts comply with the license requirements. |
30 September, 2020
| Peer-to-Peer (P2P) Download JFrog Subscriptions ENTERPRISE + | The new JFrog Peer-to-Peer (P2P) Downloads feature allows hosts to download artifacts from local, remote, and virtual repositories through a local network of peers in addition to downloading artifacts from JFrog Artifactory. |
GraphQL API for the JFrog Platform Metadata | JFrog's Metadata Service public APIs are now enabled allowing you to query the entities from the metadata server with GraphQL. | |
Viewing and Tracking Non-Revocable Access Tokens | You can view and track non-revocable Access Token in the UI, and filter by its revocability as well as its expiry. | |
| Changes in Artifactory to Facilitate the New Docker Rate Limit | Artifactory has made improvements to support the usage of Remote Docker Repositories opposite Docker Hub, while taking into account the new Docker rate limits. |
Docker Remote Repository Improvements | Docker Schema 2 is now fetched from the remote registry if no header was sent. This improves the Docker experience when the metadata expires. | |
Docker Pull Performance Improvements | Improved the performance of Docker pull requests by digest and tag by using more efficient queries and better utilizing the internal caching when serving Docker pull requests. | |
| License Detection Improvements | Improved license detection performance and success rate to reduce CPU utilization. |
31 August, 2020
| Vulnerabilities Report | You can now create and generate a Vulnerabilities report that gives you a visual representation of vulnerabilities found in your artifacts, builds, and release bundles. |
Manage Reports User Role | A new role was added to the users' permissions allowing users to create, generate, and manage the new Reports feature in Users and Groups. This role is also required by some APIs such as Get Component List Per Watch and Find Component by CVE. | |
Multiple License Permissive Approach | The newMultiple License Permissive Approach enables you to have more flexibility in the policy level by configuring a more permissive approach that allows components that have at least one of the licenses as permitted to go through without triggering a violation even if some licenses are not allowed. |
31 July, 2020
| Users can be Assigned the Manage Resources Role | Admins can assign users that have the Manage Resources role to manage resources, including creating, editing, and deleting permissions on any resource type including Pipeline resources (Integration, Source, and Node Pools). |
GraphQL Version Released in the JFrog Platform | JFrog's Metadata Service has now enabled the integration of the metadata server with a version of GraphQL public API. | |
Improved LDAP Pagination Support Usage | Added the Used Page Results parameter in the LDAP page to support LDAP Group pagination. This is supported for LDAP servers with more than 1000 groups which support groups pagination to allow admins to use paged LDAP results. | |
Persistent Expiry Threshold Token | Added the new persistent-expiry-threshold parameter allowing you to set the minimum value of expiry of a token in order for the token to be saved in the DB to the Access YAML Configuration file. | |
Improved Permissions Cache Invalidation | Minimized the scope of the invalidation action to only permissions associated with the specific service that needed the cache to be cleared. This allows shorter login times and better permission validation performance. | |
| Indexing Improvements for Npm Packages | Implemented incremental indexing as part of the existing npm indexing mechanism resulting in reduced time to build the package index. |
30 June, 2020
| Multi-factor AuthenticationJFrog Subscriptions ENTERPRISE+ | Administrators can enable Multi-factor Authentication for all users, which will require users to provide a verification code from a third-party authentication application every time users log in. |
Event-driven Webhooks | TheWebhooks feature enables you to send important events in Artifactory, (such as Artifact Deployment or Build Deployment) to applications that are configured by setting a URL. | |
| Alpine Linux Repository Support | Artifactory now natively supports Alpine Linux repositories, giving you full control of your deployment and resolution process of Alpine Linux (*.apk) packages. |
Enhancements for Webhooks Events | Introduced a few fixes to Webhooks events, such as adding a build_started field to the Build events, additional fixes to Docker events, and improved payload data. | |
| Artifactory Connection Management | Improved the process of Xray's active connections to Artifactory, by limiting the number of concurrent HTTP client connections. |
Repository Scan Improvement | Indexing requests of Artifacts that were initiated from an index repository request are no longer persisted in the Artifactory database, thus reducing the network and database load. |
31 May, 2020
| Artifactory Cloud with CDN DistributionJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | Artifactory supports a fully integrated advanced CDN Distribution removing the need to deal with the complexity of setting up a separate external CDN Caching system allowing you to manage, control, and distribute high volumes of software distribution across multiple locations. |
Support for Signed URLsJFrog Subscriptions: ENTERPRISE | ENTERPRISE+ | Users with administrator or manage permission can now generate a signed URL that provides temporary shared access to a specific artifact, using the Create Signed URL REST API, or replace the key for signing and validating by using the Replace Signed URL Key REST API. | |
| Support for RHEL 8 AppStream | Enhanced Deploying RPM Modules by supporting Red Hat Enterprise Linux 8, which contains support for enhanced Yum metadata for AppStream (RHEL8) or Modularity (Fedora) technology used in RHEL8. |
Generate Maven POM File REST API | You can now Generate Maven POM File using the Artifactory REST API. | |
| Xray Block Unscanned Artifacts Timeout Policy | You can now define a timeout policy for unscanned artifact download requests. |
30 April, 2020
| Create Admin Access Tokens from within the UI | Administrators can now Generating Admin Tokens, for any of the services in the JFrog Platform directly from the UI. |
| Go Private GitHub Repositories Support | You can now create a remote Go repository and proxy Go modules and configure Artifactory and Go client to work with GitHub private repositories. |
Conda v2 Format | Artifactory now supports the Conda v2 metadata format. You can now use Conda clients from version 4.7, and download/upload Conda v2 format packages from all repository types (local, remote and virtual). | |
Debian InRelease | Added support for Debian InRelease metadata files. Artifactory will now produce an InRelease metadata file in the repository when working with GPG signing. | |
| Force Full Reindex of Existing Components Rest API | The new Force Reindex Rest API command allows you to easily re-index artifacts that were indexed in the past. |
Added Dedicated Policy REST API V.2 Commands | Xray now supports Policy commands REST APIPOLICIES-v1 andPOLICIES-v2. The V.2 commands support blocking Release Bundles and allows you now to notify Watch recipients and File deployers. |
31 March, 2020
| PAT (Personal Access Token) Support for Remote Repository Authentication | Artifactory now supports remote repository authentication using Personal Access Tokens (PAT), in addition to basic authentication, enabling you to strengthen your Artifactory security practices. |
LDAP Improvements | Artifactory now supports a new type of Active Directory Nested Groups search, which enables performance improvements when working with LDAP. | |
Restricting System and Repository Imports. | Artifactory allows admin users to import and export data at both the system level and the repository level. | |
| Support for Matrix-params with Conan Repositories | Artifactory now supports matrix parameters for Conan repositories. As a result, the Build Info for Conan packages uploaded to Artifactory SaaS is now available. |
28 February, 2020
| JFrog Container Registry 7.0 | JFrog Container Registry 7.0 has been released. The JFrog Container Registry provides a set of features that have been customized to serve the primary purpose of running Docker and Helm packages in a Container Registry. |
12 January, 2020 - Initial JFrog Platform GA
This section describes the general availability release for the initial JFrog Platform, including the general and JFrog product-specific changes applied in the JFrog Platform for Cloud (SaaS) users.
JFrog Artifactory 7.0
JFrog Xray 3.0
JFrog Mission Control 4.0
JFrog Distribution 2.0
JFrog Pipelines 1.0
JFrog on-prem customer?
If you an on-prem user, check out what's new on-prem.
Advanced Cloud Environment Settings
Dedicated Cloud NAT IPs Used in the JFrog Platform
Cloud customers that have previously set up whitelisting on their external services (such as LDAP and SAML) to support communication between their external services and JFrog Cloud, need to update their Allow list according to this updated JFrog's Cloud NAT IP list.
Features and Functionality
Unified Experience
The user interface provides a consistent experience across all JFrog products. It is designed to support the most commonly used workflows, including improved package management, security and compliance, and package distribution, continuing to provide you with full flexibility. To support this experience the internal architecture (defined as a JPD) is designed to provide JFrog users with the same user experience across the JFrog products that have been installed.
To support the different user workflows, the UI is divided into two main modules:
Application Module providing an easy to use interface for viewing your packages, builds and artifacts in Artifactory. Including Xray security vulnerabilities and violations, Dashboard topology and trends, Distribution release bundles and Pipelines DevOps automation.
Administration Module providing a consolidated place for configurations of all JFrog products (common and product specific). Including centralized settings, such as monitoring (storage, replication, service status), security and compliance, proxies, license and user management. As well as, property sets, backups, indexed resources, database sync and webhooks.
Both modules include an advanced search mechanism.
Flexible Permissions Model
Administrators get fine-grained permissions control over how users and groups access the different resources (repositories, builds, Release Bundles, destinations).
Security and Compliance Across Your DevOps Pipeline
Fully integrated into the JFrog Platform, JFrog Xray protects your artifacts, repositories, builds and release bundles across the entire CI/CD pipeline.
Get JFrog's vulnerability database that is continuously updated with new component vulnerability data. Including VulnDB, the industry's most comprehensive security vulnerability database.
Identify security vulnerabilities and license violations according to your organization's needs. A dedicated Security and Compliance section in the UI allows you to set policies and watches on all your JFrog resources.
Configure watches and policies with the option to block artifact download, Release Bundle distribution to Edge nodes, and even break Builds.
Use advanced filtering that allows you to configure include /exclude patterns when setting indexed resources or when setting a Watch on the resources.
Secure Distribution Process
Manage the creation and distribution of Release Bundles to your Artifactory Edge Nodes. Gain better visibility and traceability into your distribution process with a complete view of all contents and package references of your Release Bundles.
User Interface
The following table is a quick reference to common functionalities in the JFrog Platform, including their new locations and any functional changes.
JFrog Product | Functionality | Location in the New UI | Comments |
|---|---|---|---|
Artifactory | Custom Base URL Date Format Look and Feel Settings Custom Message |
| |
Dedicated Artifactory Settings |
General: Settings, Property Sets | ||
Xray | Xray Permissions |
| As part of the JFrog Platform permissions unification, permission targets that were previously separated per product are now represented as one permission target with multiple permission options for the different JFrog products. Changes include:
As part of the permission migration process:
|
|
| ||
Policies and Watches |
|
| |
Dedicated Xray Settings |
General: Indexed Resources, Webhooks, Integrations |
Deprecated Features
JFrog Product | Feature |
|---|---|
Artifactory |
|
Xray |
|
Browsers | |
Internet Explorer | The Internet Explorer browser is not supported in the JFrog Platform. For a list of supported browsers, see Browsers. |
Breaking Changes
Category | Feature |
|---|---|
JFrog Artifactory |
|
JFrog Xray |
|
REST API Changes
New shared base url for all JFrog services
The JFrog Platform release introduces a new unified way to access all JFrog services using a single url, using the following format:
https://<Server Name>.jfrog.io/<Service Context>/
For example:
https://myservername.jfrog.io/artifactory/ https://myservername.jfrog.io/xray/
For backward compatibility, JFrog Artifactory and Xray will continue to work as before:
https://<Server Name>.jfrog.io/<Server Name> https://<Server Name>-xray.jfrog.io/
The following table summarizes the list of changes from previous JFrog products versions to the JFrog Platform.
JFrog Product | Deprecated | New | Updated |
|---|---|---|---|
Artifactory | |||
Xray |
|
|
|
