JFrog Artifactory has become the artifact management platform of choice for large enterprises. It handles everything from Maven JARs and npm packages to Docker images and Helm charts. Its universal repository model means a single platform manages your entire artifact supply chain, which makes its security configuration critically important.
A misconfigured Artifactory instance is a supply chain compromise waiting to happen. This guide covers the security configurations that enterprise teams need to get right.
Permission Model
Artifactory's permission system is built around permission targets, which map users and groups to repositories with specific actions (read, deploy, annotate, delete, manage).
Design Permission Targets Carefully
The most common mistake is creating overly broad permission targets. A single permission target that grants deploy access to all repositories for all developers means any developer can push artifacts to any repository. This makes insider threats trivial and accident recovery harder.
Instead, create permission targets per team or per application:
- Frontend team gets deploy access to frontend artifact repositories
- Backend team gets deploy access to backend artifact repositories
- Release engineering gets deploy access to release repositories
- Everyone gets read access to shared libraries
Separate Read and Write Access
Not everyone who reads artifacts should be able to write them. CI/CD pipelines that build applications need read access to pull dependencies. Only the pipelines that produce artifacts need write access. Create distinct permission targets for readers and writers.
Restrict Virtual Repository Access
Virtual repositories aggregate multiple local and remote repositories behind a single URL. This is convenient but can expose more repositories than intended. Verify that virtual repository configurations only include the repositories that the consuming audience should access.
Access Tokens and Authentication
Replace API Keys With Access Tokens
Artifactory's older API key mechanism is deprecated. Access tokens provide better security with scoped permissions, configurable expiration, and revocation capability.
Generate access tokens through the UI, CLI, or REST API. Set a reasonable expiration period. Tokens for CI/CD pipelines should expire and be rotated regularly, not created once and forgotten.
Use Project-Scoped Tokens
Artifactory's project feature allows scoping tokens to a specific project, limiting their blast radius. A compromised project-scoped token cannot affect artifacts outside its project.
Integrate With Your Identity Provider
Configure SAML or OIDC integration for user authentication. This provides centralized user management, MFA enforcement, and automatic deprovisioning. Store the SSO configuration securely and test failover scenarios.
JFrog Xray Integration
Xray is Artifactory's companion tool for vulnerability scanning and license compliance. If you have Xray, configure it properly. If you do not, you are missing a significant security capability.
Create Security Policies
Xray policies define what happens when a vulnerability or license violation is detected. Create policies with specific severity thresholds and actions:
- Block download for artifacts with Critical vulnerabilities
- Generate violation for artifacts with High vulnerabilities
- Notify for Medium vulnerabilities
Apply Watches to All Repositories
A Xray watch links a policy to a set of repositories. Create watches that cover all your repositories, not just the ones you think are important. The repository you skip is often the one that gets compromised.
Configure Xray Indexing
Xray must index artifacts to scan them. Ensure indexing is enabled for all repository types you use. Check that the Xray database is being updated regularly with the latest vulnerability data.
Repository Hardening
Make Release Repositories Immutable
Production release repositories should not allow overwriting published versions. Configure the repository's package type settings to reject redeployment of existing versions. This prevents an attacker or accidental process from replacing a known-good artifact with a malicious one.
Validate Checksums
Enable checksum verification on remote repositories to ensure that artifacts downloaded from upstream registries match their expected checksums. Reject artifacts with missing or mismatched checksums.
Configure Repository Layout
Each repository type has a layout that defines the expected path structure for artifacts. Properly configured layouts help Artifactory parse and validate artifact metadata. Incorrect layouts can cause scanning tools to miss artifacts or misidentify versions.
Network and Transport Security
Enforce HTTPS Everywhere
All Artifactory endpoints should use HTTPS. This includes the main UI, REST API, Docker registry endpoints, and repository access URLs. Configure TLS at the reverse proxy or load balancer level, and ensure internal communication between Artifactory nodes also uses encryption.
Restrict Outbound Connections
Artifactory remote repositories connect to upstream registries. Restrict outbound connections to only the registries you actually use. A blanket allow-all outbound policy means a misconfigured remote repository could connect to an attacker-controlled server.
Enable Connection Monitoring
Monitor Artifactory's connections to remote repositories. Alert on connection failures (which might indicate a DNS hijacking attempt), unexpected new remote repositories, and changes to existing remote repository URLs.
Backup and Disaster Recovery
Back Up the Database
Artifactory stores metadata, configuration, and security settings in its database. Back up the database regularly and test restoration. Losing the database means losing all permission configurations, user mappings, and repository definitions.
Back Up the Filestore
Artifact binaries are stored in the filestore. Include the filestore in your backup strategy. Consider using cloud object storage with versioning enabled for additional protection against data corruption or deletion.
Test Recovery Procedures
A backup that has not been tested is not a backup. Regularly test restoring Artifactory from backups to a separate environment. Verify that security configurations, permissions, and artifacts are all intact after restoration.
How Safeguard.sh Helps
Safeguard.sh extends Artifactory's security capabilities by providing comprehensive SBOM generation and supply chain analysis across your entire artifact inventory. While Xray focuses on known CVE scanning, Safeguard.sh maps the full dependency graph of your artifacts, identifies supply chain risks beyond individual vulnerabilities, and provides the visibility needed for incident response when a new CVE affects your software supply chain.