If you have not already signed up for a free tier Cloud JFrog account, do so here: https://jfrog.co/FreeDevOpsLJC
Clone the DevRel Github repository
git clone https://github.com/jfrog/DevRel.git - OR - git clone git@github.com:jfrog/DevRel.git
Navigate to the 'complete' directory:
cd DevRel/Workshops/DevOps_For_Java_Developers/gs-spring-boot-docker/complete
Create repositories
One LOCAL repository of type MAVEN:
ws-mvn-local
One REMOTE repository of type MAVEN:
ws-mvn-remote (url: https://repo1.maven.org/maven2/)
One VIRTUAL repository of type MAVEN:
ws-mvn-virtual (add both local and remote repositories and set default deployment repo to ws-mvn-local)
Download and configure the JFrog CLI: https://jfrog.com/getcli/
jf config add
Example settings:
Choose a server ID: myartifactory (This is a nickname for you to remember. It can be anything you want.)
JFrog platform URL: https://SERVERNAME.jfrog.io
(Save and continue)
JFrog access token (Leave blank for username and password/API key): (blank)
JFrog username: USERNAME (This is either the username you use to login to your JFrog Platform instance or any other username you set up)
Password/API key: (Your password)
Is the Artifactory reverse proxy configured to accept a client certificate? (y/n)? n
Configure Maven project to resolve artifacts through Artifactory NOTE: Make sure that you are in the "complete" directory where the .pom file is before running this command
jf mvnc
(Set all resolution and deployment repositories to ws-mvn-virtual)
Example settings:
Resolve dependencies from Artifactory? (y/n)? y Set Artifactory server ID: myartifactory (This is the same 'Artifactory server ID' that you set when running `jf config add`) Set resolution repository for release dependencies (press Tab for options): ws-mvn-virtual Set resolution repository for snapshot dependencies (press Tab for options): ws-mvn-virtual Deploy project artifacts to Artifactory? (y/n)? y Set Artifactory server ID: myartifactory (Same setting as above - this is the same 'Artifactory server ID' that you set when running `jf config add`) Set repository for release artifacts deployment (press Tab for options): ws-mvn-virtual Set repository for snapshot artifacts deployment (press Tab for options): ws-mvn-virtual Would you like to filter out some of the deployed artifacts? (y/n)? n
This configuration will create the following file: .jfrog/projects/maven.yaml
Since you have built this project already with maven in Step 3, all of the project dependencies will be cached in your local maven repository on your machine (they will not be redownloaded). The easiest thing to do is to either remove or backup your local maven repository using one of the following commands:
rm -rf ~/.m2/repository
OR
mv ~/.m2/repository ~/.m2/repository_BAK
With a clean repository, you can now use the JFrog CLI to resolve all of your project dependencies using the following command:
jf mvn package
Create Docker Repositories
Three Docker Repositories (one LOCAL, one REMOTE, one VIRTUAL)
ws-docker-local ws-docker-remote ws-docker-virtual (add both local and remote Docker repositories and set default deployment repo to ws-docker-local)
Containerize!
Change FROM directive in the Dockerfile.
FROM openjdk:8-jdk-alpine
becomes
FROM SERVER_NAME.jfrog.io/VIRTUAL_REPO_NAME/openjdk:8-jdk-alpine
For example:
FROM mjdevops.jfrog.io/ws-docker-virtual/openjdk:8-jdk-alpine
Build and Tag
docker login SERVERNAME.jfrog.io
From the same directory as your Dockerfile, build and tag the image:
mkdir -p target/dependency && (cd target/dependency; jar -xf ../*.jar)
docker build --tag SERVERNAME.jfrog.io/ws-docker-virtual/workshop:latest .
Pssst! Don’t forget that trailing "." in the Docker build command!
Ensure your artifacts from PART 1 show up in your JFrog Platform instance
Login to your JFrog Platform instance in your browser. You should see artifacts in cache for both your Docker and Maven remote repository caches
ws-docker-remote-cache ws-mvn-remote-cache
Index your repositories
In your JFrog Platform instance, navigate to the Administration module.
Expand the "Xray" menu, click on "Settings", and then choose "Indexed Resources".
The following repositories should be included. Click "Add a Repository" to include any that are missing.
ws-docker-local ws-docker-remote ws-mvn-local ws-mvn-remote
It may take awhile to index all of the artifacts. The index column will indicate the status.
Define a Security Policy
Navigate to the Administration module in your JFrog Platform instance, expand the "Xray" menu and select "Watches & Policies".
Create a new policy called ws-security, of type Security.
Add a Rule called ws-rule and select "High" in the Minimal Severity dropdown.
Define a Watch
Navigate to the Administration module in your JFrog Platform instance, expand the "Xray" menu and select "Watches & Policies".
Create a new watch called ws-watch, with your repositories for your workshop project and your "ws-security" policy assigned to it by clicking "Manage Policies".
Run a Scan
Hover over your Watch and click the "Apply on Existing Content" icon to manually trigger it. (This may take some time to complete)
Setup your XRay integration with the JFrog plugin
Install and configure the plugin with your Xray url and your login credentials.
Example URL setting: https://SERVERNAME.jfrog.io/xray