chris - Fotolia

JFrog touts DevSecOps edge in CI/CD tools

JFrog hops aboard a crowded CI/CD bandwagon, but its expertise in artifact and package management could appeal to security-conscious DevOps shops.

Artifactory vendor JFrog expanded into continuous integration/continuous delivery tools with the release this week of JFrog Platform, which incorporates CI/CD tools it gained through the acquisition of Shippable last year.

With JFrog Pipelines, as the tools are now known, JFrog joins a chorus of vendors offering broad DevOps pipeline suites that go beyond their original role in the software development lifecycle. JFrog Pipelines integrates the CI/CD tools it bought with the Shippable acquisition to the JFrog artifact repository; similarly, GitHub added CI/CD tools to its source code repository management tools last year.

JFrog plans to draw on its expertise in artifacts, units of software that compile raw code into binaries that can run on machines, to differentiate JFrog Platform from CI/CD tools that are organized around processing raw source code.

"Source code is important, since it's how developers are working, but pipelines are about machines, which aren't speaking source code," said Dror Bereznitsky, chief product officer at JFrog. "They're dealing with packages, which are what you deploy to production."

Binary focus may have good DevSecOps 'side effects'

JFrog Pipelines will manage binary metadata and group multiple sets of binaries into building formations. The company claims this is a more elegant way to manage dependencies between changes made by multiple development teams than creating multiple parallel pipelines attached to separate source code repositories. JFrog Platform also builds in Xray, which scans binaries for license and security vulnerabilities, and supports the deployment of binaries from most major package managers.

JFrog pipelines
The JFrog Platform now includes CI/CD tools to build and manage DevOps pipelines.

Most CI/CD tools integrate with package managers for similar purposes. But JFrog could differentiate its Pipelines product based on its experience developing the Artifactory artifact repository manager, as well as its messaging.

Everyone is really doing the same thing -- transforming code into software packages and then shipping those packages to production, but there are security advantages as a side effect of the way [JFrog thinks].
Tom PetrocelliAnalyst, Amalgam Insights

"Everyone is really doing the same thing -- transforming code into software packages and then shipping those packages to production," said Tom Petrocelli, an analyst at Amalgam Insights. "But there are security advantages as a side effect of the way [JFrog thinks]."

This relates to the fact that enterprise DevOps shops in the Linux world increasingly use package managers to centralize corporate governance, explained Charles Betz, an analyst at Forrester Research.

"There's a heck of a lot of digital management that revolves around artifacts when you don't own the source code, when that code is written by open source communities and vendors," Betz said. "I frequently recommend, especially to larger companies, that all deployable packages be checked in to a package manager -- it's an important control point given the increasing autonomy of product teams."

Historically, companies have tried to pre-approve all the software development teams use, but as microservices proliferate that approach becomes unmanageable, Betz said. JFrog's built-in XRay scanning tool may also be a DevSecOps selling point for shops facing this problem, he added.

A 'Wild West' DevOps tools market heats up

JFrog and GitHub will also compete with vendors that look to expand upon existing CI/CD toolchains, such as CollabNet VersionOne, which joined with XebiaLabs to create a new DevOps platform that links Agile planning processes with software delivery. CloudBees, already known for its Jenkins CI/CD tools, will release a broader set of tools this year based on its acquisition of Electric Cloud, which adds value stream management and DevOps analytics features.

"It's a crowded market, [JFrog] is coming in late, and they have a brand that sits very firmly in one area," Petrocelli said. "But so do Atlassian and GitHub -- it's going to be a bit of a Wild West for a while, with growth and investment, but also confusion."

Still, enterprises can't afford to wait for the market to slow down before they adopt a CI/CD tool, Petrocelli said.

"Among other things, automation leads to worker satisfaction," he said. "It's something enterprises can't afford not to have as the labor market for IT gets tighter and tighter."

Dig Deeper on Systems automation and orchestration

Software Quality
App Architecture
Cloud Computing
Data Center