Harness makes its artifact registry generally available beyond early preview customers, with a security twist that could challenge established players such as JFrog.
Following an 18-month public beta period, Harness made its Artifact Registry generally available for its DevSecOps platform this week, with a nod to software supply chain security through a feature the vendor says can block risky packages at the source.
Software artifacts are a common asset within the software development and delivery process. They include a variety of widely used components, including open source packages, libraries and frameworks. Software artifact registries store and manage these components. The most widely used commercial artifact registries are Sonatype's Nexus Repository and JFrog's Artifactory. In recent years, both artifact registries have become part of broader software development tool chains, which also emphasize software supply chain security. Startups such as Cloudsmith also advocate for software artifacts as the main control point for DevSecOps workflows.
Harness.io began with a focus on CI/CD pipelines, but has also expanded its DevSecOps platform to include adjacent workflows, from a git code repository to downstream application security and incident management. It first launched its Harness Artifact Registry in September 2024, with its typical pitch to enterprises -- an expansion of its one-stop shop for software development tooling.
"Our philosophy at Harness is that any module can be purchased a la carte, which means you don't need to have a dependency on any other module, and Harness Artifact Registry can be purchased standalone," said Shankar Hariharan, director of product management at Harness. "But existing CI/CD customers who are already in the DevOps workflow within Harness would see a much better user experience in terms of native integrations that are available in CI/CD and security modules."
One-stop shop appeal
This on-platform capability [means] one less set of credentials, one less set of identity and access management roles.
Jasper van RijnHead of software design and engineering, Drax Group
One such customer is Drax Group, a UK-based renewable energy company that had already begun consolidating its software delivery pipeline tooling on Harness three years ago. The company is still consolidating pipelines onto Harness and will also likely consolidate disparate artifact management tools into the new Artifact Registry module, according to Jasper van Rijn, head of software design and engineering at Drax.
"We have quite a mixed landscape of legacy platforms, and so lots of engineers are trying to solve [artifact management] using slightly incorrect tooling. … So we would have assets sort of hanging off the end of pipelines that they would then be taken from and moved further into the process, as well as just file shares, areas on the network where builds would be stored, which obviously has all kinds of risks," van Rijn said. "We need to consolidate all of that into something more manageable … and this on-platform capability [means] one less set of credentials, one less set of identity and access management roles."
Harness is still expanding Artifact Registry's features, including support for more package ecosystems, advanced lifecycle management, immutability, auditing and AI automation for artifacts across the broader platform, according to a company blog post.
Harness Artifact Registry is not as mature a product as artifact management specialist competitors, but it's a clear challenge to those vendors within the Harness customer base, said Andrew Cornwall, an analyst at Forrester Research.
"It’s obvious [Harness] wants to replace JFrog or Cloudsmith among its customers [and is] pushing better integration in the software delivery lifecycle," Cornwall said. "If you’re using Harness for everything else, you can use the same policy mechanism for artifacts as you do for CI/CD. …. The integration could be enticing if you’re already in the Harness ecosystem."
Dependency Firewall piques analyst intrigue
Harness made its intentions of branching into artifact management clear, and already offers a more extensive Supply Chain Security module. But the GA release of Harness Artifact Registry also builds in a new Dependency Firewall specifically for policy-based management of open source packages, including blocking potentially malicious packages before they're brought into an organization.
This potentially puts Harness in a rare competitive position, according to some analysts.
Katie Norton
While plenty of other vendors offer features similar to Dependency Firewall, including JFrog, Sonatype and Cloudsmith, they are typically tied to artifact repositories rather than to any CI/CD pipelines those vendors control, said Katie Norton, an analyst at IDC.
JFrog's partnership with GitHub blurs those lines a bit. JFrog also has JFrog Pipelines, but Norton said, to her knowledge, it is not as widely adopted as products from GitHub, GitLab and other DevOps vendors. GitHub also has its own upload-artifact and download-artifact actions, as well as an attest-build-provenance action and Dependabot; GitLab offers a package and container registry.
Overall, "what makes Harness's positioning somewhat distinct is the pipeline ownership angle," Norton said. "Because they orchestrate CI/CD, embedding the registry and dependency controls directly into the delivery workflow means policy enforcement can happen as a native step in the pipeline rather than as an external gate."
This aligns with a broader security narrative that Harness has been building for the past two years, Norton said. Product updates during that time include the Supply Chain Security module, the integration of runtime and API security features from Traceable, and application security testing and application security posture management from Qwiet AI.
Generally, all of these artifact management and DevSecOps pipeline vendors are responding to two big industry trends prominent over the last year.High-profile software supply chain attacks, often as a result of developers importing compromised open source packages, have made headlines. Meanwhile, there has been an explosion of AI-generatedcode being hitting DevOps pipelines at high speed, said Janet Worthington, an analyst at Forrester Research.
"The artifact registry plays a key role in governing what can and cannot be utilized in the software development lifecycle," Worthington said. "Governance becomes increasingly important, as does managing the chain of custody for build artifacts to allow development teams to move fast securely."
Beth Pariseau, a senior news writer for Informa TechTarget, is an award-winning veteran of IT journalism. Have a tip? Email her.
Dig Deeper on Agile, DevOps and software development methodologies
Katie Norton
