This functionality is not yet supported by Access due to the 1-to-1 matching of properties with the claim JSON sent by GitHub, the current approach is to create an additional identity mapping within the same OIDC integration provider. This setup works as a cascading array until it finds a matching JSON.
Dear Jfrog folks, this video, just like the rest of your documentation, is horrible. Do you want to improve developer productivity? Well stop wasting people's time searching for trivial things in your documentation website, it looks and behaves like its a first coding project in high school, made with Dreamweaver. Surely you can do better, right?
@@realspacemusicvideos Yes, here are some of my personal experiences. One has to scroll between links that lead to other links, that lead to more links for some basic info. Artifactory product documentation page has no reference of the installation, which is apparently located at a different page. The Debian/Ubuntu installer is missing some dependencies that must be installed separately. Some features are explained by a single line or so. There is no documentation available for download. Honestly, I used Chatgpt to pull the stuff I needed from the website, which kinda beats the purpose.
Hi @Feelyourbodyalways, great question. We provide a straightforward example to keep things simple, with a basic verification process. However, as you can see at timestamp 2:28 in the video, we provide an example of the matching object sent by GitHub. Once GitHub sends this object, we match it against the identity mappings. If they are equal, then you are good to go. Otherwise, the claim JSON verification will fail, and the token won't be sent back. Please let us know if you have further questions.
timeestamp 5:50, Can the scan be filtered based on artifact? in the include subpath can you include only the artifact that you want the report for? if so how would you do that?
Here's a list of the points mentioned in the transcript: 1. Being an early adopter and providing feedback on new features. 2. Utilizing jfactory as a central place for dependency management and repository use. 3. Implementing code review processes to identify and address security vulnerabilities. 4. Automating static code analysis into the CI/CD pipeline. 5. Integrating security checks into the CI pipeline. 6. Automating security testing, potentially through nightly builds. 7. Utilizing software composition analysis (SCA) with tools like X-ray. 8. Prioritizing vulnerabilities for handling. 9. Ensuring container security by scanning container images for vulnerabilities. 10. Signing and verifying packages and pipelines. 11. Implementing access control and least privilege principles, especially in repositories. 12. Simulating purple team activities and red team challenges to the supply chain. 13. Monitoring threats, including simulating attacks. 14. Having an incident response plan in place for supply chain attacks. 15. Practicing incident response for supply chain attacks. 16. Creating an outline of steps to take in case of a security breach within the software supply chain.
Not useful video. - JFrog CLI basic demo is missing, would be good to show some commands to publish or consume, preferably from Github action - Example of Custom User Plugin not provided. It says cleanup plugin, but what exactly it cleans? No enterprise use case is provided that when I should write it. An example states Perform Searches but what does it even mean to perform searches by Custom User Plugin. Also, does not give example on how to make one, upload one and demo. Will be good to re-record as really did not receive much info after spending 18:56 mins (except that I looked up file-spec documentation which went to a site which says documentation moved so not frutiful).
Hi! Are you looking for IDE integrations to build user plugins for code completion (you wrote "complein" above) or IDE integrations that support code completion for developing user plugins?
@@JFrogInc Damn autocompletion. I mean Code completion. Especially vscode. Furthermore also a suitable documentation probably. The documentation on the Website is really poor
It's none of the above. Curation would be used to prevent SCA violations. So rather than running an SCA scan and finding a bunch of vulnerabilities, curation would prevent developers from pulling the vulnerable packages in to begin with. That assumes you set the policies up properly. It wouldn't catch everything, but it would keep known malicious packages out.
When I run the install script, I receive "Jq is mandatory to download latest version of jfrog xray native package". Can you explain how to resolve this?
Does not make up the the lack of adequate documentation. Similarly, highlighting commands does not explain the "why" or the context around it. Not to mention the inexplicable use of curl to shore up the glaring missing helm upload support.