How Capital One Built a Single Trusted Artifact Repository with JFrog Artifactory

Background

Capital One, founded in 1988 and now a major U.S. retail bank, has long pursued a data‑driven strategy, positioning itself as a pioneer in big‑data finance. At the JFrog SwampUp 2020 conference, senior R&D manager Wayne Chatelain shared how the company built a single trusted source for software artifacts.

What Is a Single Trusted Source

A single trusted source is an internal repository that stores every approved software package—such as WAR, JAR, Docker images, ZIP files, and vetted third‑party components—in one place.

Why Build It?

Many banks still use FTP for delivering packages, which leads to missing metadata, unclear version control, and lack of automated security scans, increasing communication overhead and risk of vulnerable or non‑compliant dependencies. Without a single trusted source, distributed teams waste time on configuration changes, version propagation, and deployments.

How to Build It

1. Define Goals

Create a single trusted repository.

Ensure all products use artifacts from this repository.

Establish approval rules and entry thresholds.

Automate enforcement within CI/CD pipelines.

Maintain the repository’s operability.

2. Create the Repository

Set up a dedicated Artifactory repository to serve as the unique storage location for all approved artifacts.

3. Repository Model

Aggregate local and remote repositories using a virtual repository.

Organize repositories by package type and team.

Implement a promotion policy that separates production and non‑production packages across environments.

Isolate third‑party components before promoting them to the trusted repository.

Overall Release Process

Developers trigger builds via CI pipelines.

Pipelines run scans, automated tests, and record metadata as artifact attributes.

Artifacts are distributed through JFrog Distribution to Artifactory Edge nodes for pre‑production validation.

After approval, artifacts are promoted to the production repository for automated deployment.

Artifact Promotion Process

Open‑source component vulnerability scan (JFrog Xray).

License compliance scan (JFrog Xray).

Static code analysis.

Dynamic application security testing.

Blacklist checks.

Metadata verification (development, QA, and lead approvals).

Artifact signature verification.

Enterprise reporting validation.

Ownership verification.

Compliance exception validation.

Metadata verification acts as a quality gate, ensuring only vetted artifacts progress.

Artifact Distribution Process

Pipeline triggers distribution after artifact build and upload to Artifactory, invoking approval APIs.

Asynchronous status polling pauses the pipeline until all approvals are granted and signatures are confirmed.

Edge nodes pull only approved artifacts, preventing unapproved packages from reaching production.

Final Result

Through promotion, distribution, and approval workflows, the Artifactory Edge node stores the enterprise’s single trusted source.

Both open‑source and internally built components enter the repository via approval mechanisms.

Automated API calls handle review and approval.

Automated distribution to Edge nodes enables multi‑datacenter deployment.

Integration with CI/CD pipelines ensures seamless release.

Unapproved packages cannot be pushed to Edge nodes, preventing erroneous deployments.

Workflow

Store all artifacts in a unique Artifactory repository.

Trigger release actions.

Validate artifact metadata.

Distribute artifacts.

Publish artifacts to the single trusted source.

When an old version is removed from the primary node, it is automatically synchronized and deleted from Edge nodes.

Benefits

All business teams share a single trusted dependency and binary library.

All teams have a single trusted release version repository.

Approval process data is captured as metadata bound to release versions.

Deployment tools use a single trusted source, enabling metadata‑driven automated deployments.

References: https://baijiahao.baidu.com/s?id=1670085533834899304&wfr=spider&for=pc https://www.youtube.com/watch?v=me3kwaQI4Gk&feature=emb_logo