Robust artifact management is key to software delivery cycles at scale, something that developer tool specialist JFrog has been adamant about for years.
“As developers ourselves, we understood the pain of not having a binary manager, so we introduced the industry’s first artifact management solution. This new category of tools became a critical pillar for any development effort,” JFrog’s Avigail Ofer says in a blog post.
Ofer says JFrog’s OSS Artifactory is still the only one that supports some 27 package types in one, including Docker image registry and Helm repository, with other vendors only lately “starting to catch on”.
Ofer compares AWS’s sally into the space – the CodeArtifact service for binary management, an S3-based managed artifact/binary repository, which is “similar in concept” to JFrog’s base-level Artifactory SaaS service offered on the AWS marketplace and on other public clouds.
Both solutions encrypt the stored artifacts and provide fine-grained RBAC for access control and compliance. Both solutions allow users to proxy external repositories.
“However, CodeArtifact only supports proxying of official upstream repos: npm – npm.js, Python – PyPI, Maven – Maven Central, Google Android repository, Gradle plugins repository and CommonsWare Android repository,” Ofer says.
“Furthermore, CodeArtifact has a strong limit of one external remote repository (called ‘external connection’). It is unclear what is the search order between hosted, upstream and external repos and how permissions are propagated.”
At the time of writing, Ofer says, Maven metadata had to be manually uploaded to Code Artifact by clients. Snapshotting can be key to development teams that are building new software concurrently at speed.
AWS CodeArtifact requires integration with AWS’ ECR service and doesn’t support storing and managing of cloud-native components either, says Ofer.
“This creates acute visibility and traceability issues in your release pipeline, since container images are comprised of release packages coming from other repositories, such as npm, golang, or Maven,” Ofer says.
CodeArtifact uses AWS identity and access management (IAM), with a token that’s hardcoded to expire after 12 hours — tokens must be regenerated and package managers reconfigured accordingly.
Artifactory allows for integrations with different identity providers such as Okta, OneLogin, PingOne or GitHub.
Both solutions provide detailed auditing into the status and usage of binaries. Both solutions can integrate with user CI/CD and the devops tools a developer is already using, through extensive CLI and REST APIs, says JFrog’s Ofer.
Pricing could be a positive for the AWS offering, which obviously integrates natively with the AWS ecosystem. CodeArtifact bills according to usage, including the size of artifacts stored, number of requests made, and amount of data transferred out of an AWS region. At the time of writing, the first 2GB of storage and first 100,000 requests per month were free.
“The free capacity may make CodeArtifact desirable for very small teams and SOHO development shops,” Ofer says.
“Artifactory SaaS on AWS is offered in several plans, with a monthly subscription cost that includes usage. Starting at $98/month for binary management, the base-level service includes 2GB of storage and 10GB data transfer. The next subscription level, including security scanning, comes with 20GB of storage and 200GB data transfer.”