Using with JFrog Artifactory

Tidelift integrates with JFrog Artifactory to help you keep only known-good open source approved in your repository manager. We integrate with Artifactory in both directions.

Our integration currently works with JFrog Artifactory version 7. If you are using an older version of JFrog Artifactory, please contact support@tidelift.com.

Download Tidelift's Artifactory plugin.

1. Initial catalog creation (Artifactory → Tidelift)

When creating your organization’s catalog, you can import a list of all open source package releases (e.g. each version of each package) currently in use at your organization from Artifactory.
Upon successful import, Tidelift will provide guidance on each package release on whether or not we recommend including the package release and related release streams in your catalog. For example, we would not recommend including a package release with a security vulnerability in your organization’s catalog.
You can choose to accept Tidelift’s version guidance or manually inspect each issue affecting a package release.
Your initial catalog has now been created based on usage from JFrog Artifactory.

2. Updating Artifactory with what’s in the catalog (Tidelift → Artifactory)

The Tidelift → Artifactory integration will ensure that Artifactory contains an accurate representation of what’s in your Tidelift catalog. Every time a change is processed for your Tidelift catalog, we will update a tidelift.status property on the original artifact in Artifactory.

When tidelift.status is set to denied for a given package release, developers will receive a 403 Forbidden error when attempting to download the package for use from Artifactory.

3. How the Tidelift + Artifactory integration works

Tidelift's Artifactory plugin has two components: Artifactory webhooks, and Tidelift's plugin.

Artifactory webhooks

Users can enable webhooks within their Artifactory instance to trigger automatically based on pre-defined events in Artifactory.

Tidelift plugin

The Tidelift plugin triggers based on two primary events within Artifactory: afterCreate and download.

When a new package is created within Artifactory (afterCreate), the Artifactory webhook will make an asynchronous call to tidelift.com and set the tidelift.status artifact property to pending.

If a user decides that a package release is approved or denied within their Tidelift catalog, then Tidelift will update the tidelift.status on that artifact in Artifactory to Approved or Denied, respectively, using a POST HTTP method.

The Tidelift plugin will monitor all download event within Artifactory to block any artifacts with a tidelift.status of Denied from being downloaded. The download hook fires on every download request regardless of whether or not the package is in Artifactory already.

4. Setting up the Tidelift + Artifactory integration

Installation

You'll need to setup an Artifactory webhook and point it to Tidelift:

tidelift.groovy

First, request a Tidelift API key for Artifactory by emailing support@tidelift.com. We will respond via email with your API key.

Copy tidelift.groovy—the Tidelift Artifactory plugin—into $ARTIFACTORY_HOME/etc/plugins

Webhook Setup

For Artifactory 7.6+

Set up a webhook in Artifactory for Tidelift in Administration > General > Webhooks , with the following values:

Name: Tidelift
URL: https://api.tidelift.com/external-api/artifactory/webhook
Event: "Artifact was deployed" (and pick the Artifactory repositories you'll use for your Tidelift Catalog)
Secret Token: <API key from the first step>

For Artifactory <7.6

Older versions of Artifactory don't support webhooks natively, so you'll need to install the Artifactory webhook plugin.

Once you've installed the webhook plugin, enter your Tidelift API key from above into the included "webhook.config.json" file, and copy that config file into the same folder ( $ARTIFACTORY_HOME/etc/plugins).

Reload the webhook plugin curl -s -u admin:<admin password> -d "" $ARTIFACTORY_HOST/artifactory/api/plugins/execute/webhookReload.