Skip to main content

Overview

The JFrog Package Registry integration allows Backline to access packages from your JFrog Artifactory instance. This is required for Backline to build and analyze projects that depend on private packages hosted in JFrog.

What You Can Do

With the JFrog Package Registry integration, Backline can:
  • Resolve NPM packages from your JFrog Artifactory
  • Resolve Python packages from your JFrog Artifactory
  • Resolve Go modules from your JFrog Artifactory
  • Build and analyze projects that depend on packages in your JFrog registry
  • Provide remediation for vulnerabilities in projects using JFrog as their package source

Supported Package Types

Package TypeJFrog Repository FormatExample URL
NPMnpm (local/remote/virtual)https://company.jfrog.io/artifactory/api/npm/npm-virtual/
PyPIpypi (local/remote/virtual)https://company.jfrog.io/artifactory/api/pypi/pypi-virtual/simple
Gogo (local/remote/virtual)https://company.jfrog.io/artifactory/api/go/go-virtual/

Prerequisites

Before connecting JFrog Package Registry, ensure you have:
  • A JFrog Artifactory instance (Cloud or self-hosted)
  • An Identity Token or Access Token with read permissions
  • Repository URLs for the package types you want to use

Generating a JFrog Token

1

Access JFrog Platform

Log in to your JFrog Platform (e.g., https://your-company.jfrog.io).
2

Navigate to Identity Tokens

Click your username in the top-right corner, then select Edit ProfileIdentity Tokens.
3

Generate Token

Click Generate Token, provide a description (e.g., “Backline Integration”), and click Create.
4

Copy Token

Copy the generated token immediately—it won’t be shown again.
Store the token securely. You’ll need it when configuring the integration in Backline.
Use a token with read-only permissions. Backline only needs to read packages, not publish them.

Finding Your Repository URLs

To find the correct URL for each repository type in JFrog:
1

Navigate to Artifactory

In JFrog Platform, go to ArtifactoryArtifacts.
2

Select Your Repository

Click on the repository you want to use (e.g., npm-virtual, pypi-virtual).
3

Get Repository URL

Click Set Me Up in the top-right corner. The dialog will show the repository URL.For PyPI repositories, ensure the URL ends with /simple.

Repository Type Recommendations

Repository TypeRecommendation
VirtualPreferred—aggregates multiple repositories (remote + local)
RemoteGood for caching packages from public registries
LocalFor your own private packages only
Use virtual repositories when possible. They combine remote and local repositories, giving Backline access to both public packages (cached) and your private packages through a single URL.

Connecting JFrog Package Registry

1

Go to Integration Hub

In Backline, navigate to Integrations from the main menu.
2

Select JFrog Package Registry

Find and click on the JFrog Package Registry integration card.
3

Enter Access Token

Provide your JFrog Identity Token or Access Token.
4

Configure Repository URLs

Enter the URLs for the package types you want to use:
  • NPM Repository URL: Your JFrog npm repository URL
    • Example: https://company.jfrog.io/artifactory/api/npm/npm-virtual/
  • PyPI Repository URL: Your JFrog PyPI repository URL (must end with /simple)
    • Example: https://company.jfrog.io/artifactory/api/pypi/pypi-virtual/simple
  • Go Repository URL: Your JFrog Go repository URL
    • Example: https://company.jfrog.io/artifactory/api/go/go-virtual/
You only need to configure URLs for the package types your repositories use. At least one URL is required.
5

Test and Save

Click Connect. Backline will verify the token and repository access.

After Connection

Once JFrog Package Registry is configured, Backline will:
  1. Use the provided token to authenticate with your JFrog instance
  2. Access packages from your JFrog repositories during dependency analysis
  3. Provide remediation for projects that depend on packages in your JFrog registry

Managing the Integration

Updating Configuration

To update the integration settings:
  1. Open the Integration Hub
  2. Click on the JFrog Package Registry integration
  3. Update the token or repository URLs as needed
  4. Click Save

Adding Package Types

To add support for additional package types:
  1. Open the JFrog Package Registry integration settings
  2. Add the repository URL for the new package type
  3. Save the changes

Troubleshooting

Authentication Failed

If Backline cannot authenticate with JFrog:
  • Verify the token hasn’t expired
  • Check that the token has read permissions for the configured repositories
  • Ensure you’re using an Identity Token or Access Token (not a password)

Repository Not Accessible

If Backline cannot reach the repository:
  • Verify the repository URL is correct and includes the /api/ path segment
  • Check network connectivity between Backline and your JFrog instance
  • For self-hosted instances, ensure Backline’s IPs can reach your JFrog server

Package Resolution Issues

If specific packages cannot be resolved:
  • Verify the package exists in your JFrog repository
  • Check that the repository type matches the package manager (e.g., npm format for NPM packages)
  • For virtual repositories, ensure the component repositories are correctly configured

PyPI URL Format

PyPI repository URLs must end with /simple for pip compatibility:
  • Correct: https://company.jfrog.io/artifactory/api/pypi/pypi-virtual/simple
  • Incorrect: https://company.jfrog.io/artifactory/api/pypi/pypi-virtual/