JFrog Software Supply Chain Platform

JFrog Artifactory  is designed for software management. We used it for storing all assets and packages that were downloaded from external package systems, making them available for our development teams to use in their builds.

It primarily supported a fail-fast approach, where vulnerabilities were identified ahead of time, enabling us to alert our development team to use the latest packages without those vulnerabilities.

JFrog Artifactory  proved very helpful in supporting a variety of package types for different projects.

The best features of JFrog Artifactory include the core functionality of package management and software management, along with scanning capabilities to prevent vulnerabilities from being introduced.

The metadata management feature was particularly useful for managing packages within JFrog Artifactory.

We utilized Xray integration with JFrog Artifactory, which was instrumental in managing vulnerabilities overall.

JFrog Artifactory has robust functionality in terms of access control, which helped us ensure minimal access to various artifacts.

I would rate it eight out of ten because it is a great product that is widely used in the industry. It has excellent features from an artifact management perspective and maintains good integrations.

JFrog could improve this product with tighter integration capabilities.

I used JFrog Artifactory in the last twelve months.

I would rate their support for JFrog Artifactory as seven out of ten.

Positive

I am no longer using JFrog Artifactory in my current role as I moved away from the team. The metadata management features were very useful, particularly for managing packages inside JFrog Artifactory. We were customers of JFrog. Based on my experience, I would rate JFrog Artifactory eight out of ten.

The main use case was to store the artifacts, store the binaries, basically. And then we used it as a container registry as well.

One of my tasks was to get X-ray running. I got the product running and tested it, but users never really started using it. So, from the user perspective, I don't really know how much they used X-ray.

What I can say about X-ray is that it did what Artifactory advertised. So, from that point of view, in my opinion, it worked fine, but we never really got to use it too deeply. We never got enough requests from our customers, the developers, or the security management team to implement some checks or block downloads from Artifactory, even when the software is too old or has some vulnerabilities.

That was a disappointment for me because I worked on the installation and management of X-ray for a couple of months. But that's not something that X-ray is responsible for.

For me, Artifactory was just a system that I needed to maintain, install, update, and back up.

I was an administrator of Artifactory, the person who manages the software. For me, it was manageable and stable. The upgrades were coming regularly, and the documentation on how to upgrade the system was clear. 

Then, when we had to implement certain customizations because of the way our networking is set up, it could get messy. But with the help of support, we got it working. Sometimes, the database got corrupted or something wrong happened, and then we needed support. In most cases, they were able to help us and sort it out.

So far, the software worked fine. There are some other products like Artifactory Insights that provide some level of monitoring and management and graphs of utilization.  

Sometimes the documentation was sort of messy because there are many possibilities for where and how to install Artifactory. So sometimes, I got a little bit lost, and it wasn't very clear which path in the documentation to take. But when I tested things and could just follow the manual, that was working fine.

Sometimes the UI was not working as expected. Users were complaining that they didn't see their Artifactory, but they had to clear their browser cookies or something. It was just the browser taking some information from the caches of the user's PC. So sometimes, this can be better. The UI could get laggy; maybe because our environment reached its limit. We had a large number of assets. It could take time for all the artifacts to load.

If there could be some better features for me, it would be being able to upgrade Artifactory directly from the UI. I think that is something that JFrog maybe offers with the cloud solution, but I don't know. For some reason, we still use the standalone on-premise solution. Maybe that version doesn't provide this functionality.

I've worked with Artifactory for two years.

For the most part, it's pretty stable. We had some performance issues. Sometimes, users complained that it was slow, especially with replication. We upload the artifacts into a central Artifactory that then replicates the artifacts to our other networking environments. Sometimes, it may be slow because of our network. 

Sometimes, it seemed to me that something was happening in the architecture itself that was making this process slow. Either it was maybe some kind of Artifactory process running in the background that slowed down this replication process, or, at times, I had this kind of feeling that I don't know why it's not replicating that Artifactory. And I wasn't able to really tell the user what was happening. It was mostly with the container images. Sometimes, it seemed that the container image was not replicated completely. You can see the container image in the other location, but the container image consists of several parts. And for example, one or two parts were missing. So then, the user was not able to download the container image and to really use it. So there were cases like this, and we had to basically delete the artifact in the affected location and try to replicate it again. I think, if I remember correctly, we were solving this issue with support.  

We have piles of data in there. We put lots of data into just one Artifactory. There were several millions of artifacts and terabytes of data, like hundreds of terabytes of data, on the file system.

We used three or four virtual computers to run the software and utilize the load, and those machines handled it fine. So, from this kind of point, it was okay. 

But from the manageability point of view, I would probably do it differently. I would probably split the data into several Artifactory instances because of backups and such things. So, from the scalability point of view, it was scalable.

We had developed some Ansible scripts that deployed Artifactory. I don't remember it exactly, but I guess they were sort of using the solution that JFrog provides. They have some Ansible scripts. So, I think we used those scripts to some extent and then modified them to our use case. That's the way we deployed Artifactory with Ansible scripts.

I came to an almost ready solution that was done by my colleague. I tweaked a little bit here and there depending on the changing requirements, like from the security team that told us to install certain firewalls or antivirus software. So, there were not any significant challenges to using those scripts. 

From my point of view, the maintenance aspect is not difficult. Doing the backups or updates usually worked fine. 

I personally would probably recommend it. For me, it did what it did well, or at least that was my feeling from it. So, I would recommend it. 

Overall, I would rate it an eight out of ten. 

We usually use it to store our artifacts, version them, and use them in production. We use it in CI/CD pipelines. All our R&D uses it as do all our development teams that need to release software. It doesn't matter what, they use it.

JFrog Artifactory  is very essential to us. Without it, we could not use the artifacts, the products that our developers are writing. We would need to maintain a lot of different artifactory repositories in a lot of places. It would be more difficult. You definitely need some kind of artifactory solution. It doesn't necessarily need to be JFrog, but in my opinion, it's better to use it because it's a good, centralized solution. I haven't found any good competitors.

The way to explain to C-suite executives why they should continue to invest in JFrog is that it saves a lot of time and a lot of mundane work that would be required to maintain many solutions that JFrog gives you in one solution. 

We don't have to maintain a lot of repositories. We get the same outcome with JFrog with less maintenance. With the SaaS solution, we don't even need to maintain the installation, the server, or whatever infrastructure is around it. There is less involvement in artifactory management.

We don't need to use all kinds of artifactories like Docker  Hub or different PyPI repositories for Python. Everything is there and we don't need to pay different companies for all these solutions or to maintain them.

It gives us a good workflow in terms of how we create software because we use it for all of our artifact types. It's good that it's centralized and it helps us in our CI/CD flows, to release software. You don't need to create different scripts or automations to upload different kinds of artifacts to different vendors or repositories. It simplifies our workflow.

The most valuable feature is that it is a centralized repository and that you can open multiple repositories for different types of artifacts. That is very good. 

Also, the fact that you can integrate artifacts with authentication systems, like Active Directory or Okta is valuable.

And for binary management, versioning them, it does a very good job and it gives us a good API to work with.

In some of the latest versions of JFrog's SaaS solution, they changed the user interface, the SSO  settings, how you interact with them over API, and how you generate tokens. It was very confusing for me. The overall user management is very complicated.

Also, their documentation about how to do things could be better. It was very confusing. I had been using it for a couple of years and then they completely changed how it works—the user and token management.

I have been using JFrog Artifactory  for three or four years. I have used it in almost every workplace.

It's very stable. I don't think I have had many problems. There may have been some many years ago, maybe, but not something critical.

It scales very well. In a previous company, we used it in a couple of locations globally and it was also an on-premises installation. We used the syncing options for repositories and it worked very well. We didn't have a lot of problems setting it up or using it.

In my current company, we have about 200 users.

We use it all the time. If we have another artifact type to throw in it, we will increase our usage of it. Every new software that we have developed and released has gone to JFrog Artifactory. We're always increasing its use.

The technical support is an eight out of 10.

Positive

Before JFrog Artifactory, we used all kinds of solutions, like Docker  Hub and PyPI, but we didn't have a centralized solution like JFrog.

drop database *;

It's very good that they have SaaS and non-SaaS solutions. You can take the SaaS solution and simply use and get support. But for small companies that don't want to invest in paying them for the solution, their free, on-premises solution is very good. It's almost the same as the paid version, minus the support and some features. It's very important that they have both options.

Because we use the SaaS solution, there is no maintenance involved for us. They maintain it. We maintain our versions and artifacts within it, but not the system itself.

Artifact did not affect how long it took us to fix the Log4j issue because our company was part of some cybersecurity companies that detected the breach and we fixed it for ourselves.

I would recommend using it because it's a great tool. Everyone is using it, most companies, as far as I know. It's a very well-known solution. It's a good, centralized solution.