6 Essential Features for Your Next Artifact Manager

Picking a new artifact management platform is exciting! The promise of a better work life and smoother software production is within reach. But given artifact management’s position at the center of your CI/CD process, we also know there’s a lot at stake if you choose the wrong solution. 

To make your shortlisting and selection more successful, I’m here to arm you with info about the features and services that define truly modern artifact management tools. These are game-changers for streamlining your development pipeline and elevating your DevOps team's efficiency. I’ll also describe what good looks like, so that you’re better equipped to compare and evaluate your options.

Universal Format Support

Mature organizations commonly use multiple programming languages in their software. This is great for developers, who get to code in the formats they know inside-out, but it can be a nightmare for your operations teams that have to manage that plethora of tooling. Creating, maintaining, and updating access, security, integrations, etc, across multiple management environments is repetitive, time-consuming, and error-prone. Workflow complexity becomes dizzying, as every package format’s native tooling has different limitations that necessitate unique configuration. Finally, the more touch points there are in a system, the more likely it is that something can go wrong.

A tool that can store, manage, and secure ALL of your organization’s package formats, together, allows your DevOps team to focus on delivering high-quality software without the hindrance of format-specific package management. By centralizing your assets in a single platform, you can:

• streamline monitoring, ops, and workflows;
• introduce consistent dependency management;
• increase knowledge sharing and cross-team collaboration;
• enable teams to adopt a consistent set of commands and practices, which leads to faster development cycles;
• simplify toolchain integration; and
• effortlessly enforce identical security practices with all asset types.

What to look for

A quality solution that claims universal format support will:

• cover of all of the major programming languages (expect 20 languages at minimum);
• support container registries;
• store and manage raw files; 
• be compatible with native tooling;
• accommodate operating system packages like Windows and Linux; and
• offer multi-format repos, which give you ultimate flexibility to organize your storage however makes most sense to you. For example, you might group by languages to simulate the workflows in familiar public repos, or you might instead group packages by team, by project, by environment, or by status (eg, scanned and approved vs unauthorized).

A Dependency Firewall

The importance of dependency management is well established in DevOps. Reliance on external libraries, frameworks, and packages to cut development time and effort is standard practice in our industry, but what we gain in efficiency we lose in security and stability. External dependencies suddenly become unavailable; are vulnerable to malware (especially public OSS packages); and their code is constantly evolving, which can jeopardize our software’s functionality and performance. We use tools like npm, Maven, and Java to manage dependencies—tracking and retrieving the correct versions for our builds—but version control is only the tip of the iceberg when it comes to protecting this portion of our software supply chains. 

To increase the safety of the external components entering your pipelines, choose an artifact management platform with dependency firewall functionality. The power to apply forensic checks and controls to all of your dependencies will:

• increase your peace of mind; and
• substantially reduce risk.

What to look for

When comparing package management tools, I recommend you look for:

• upstream package proxying and caching as a moat to protect your infrastructure from dangerous packages and external outages; 
• automated security scanning—upon initial upload and every promotion—including:
  • container and package vulnerability scanning; and
  • malware scanning;
• severity scoring;
• support for policy enforcement. In other words, make sure that you can customize how to handle security threats according to your policies—for example you might want to block all high-severity dependencies from download or create rules that quarantine medium-severity threats for examination but ignore low-severity threats; and
• an API that inspects digital signatures and checksums, so you can detect unauthorized changes to dependencies and verify that teams can only use the desired version.

License Policy Enforcement

When you build with commercial and open-source third-party assets, most come with a EULA—a legal agreement defining how you’re allowed to use, modify, and distribute that software. Early awareness of and consistent adherence to every asset’s T&Cs is critical. Otherwise, your organization exposes itself to uncertainties over IP ownership and distribution rights (in the best case) and to the possibilities of lawsuits, fines, injunctions, and a commercially unusable product (in the worst cases). Take a copyleft license like the GNU General Public License, for example. If an OSS package with this license makes its way into your software, suddenly your IP is no longer your exclusive IP. Others technically have the right to freely modify and distribute your work. Yet manually monitoring and managing a high volume of software licenses is impractical.

Top-quality artifact managers include the feature sets you need to replicate your company’s licensing policies in your package management workflows. This helps protect you by:

• making it easy and efficient to enforce your license policies across all teams;
• preventing the legal, financial, and reputational risks associated with breach of contract; and
• reducing the rework and delays that result from late discovery.

What to look for

To choose a solution that takes license compliance seriously, keep your eyes peeled for:

• automatic license detection;
• features that let you specify which precise licenses are permitted to enter your pipeline and which are not;
• controls to define policy rules and automate actions on how to handle packages with missing licenses, unknown licenses, and recognized licenses that don’t meet your policy requirements (eg, flag, quarantine for review, deny);
• a robust schedule of policy compliance checks—for example, automatic checks whenever a package is uploaded, moved, copied or cached; and
• at-a-glance reporting and a dashboard of license metrics, so you can:
  • monitor and audit the compliance status of your pipeline; and 
  • quickly sort and ID all packages that use a license that no longer fits new policy updates.

Cloud Native

Your company’s software teams and developers are probably distributed across dozens—or even hundreds—of locations. What’s more, the rise of cloud-native CI/CD means that many of the processes that your packages feed into (and emerge from) live in the cloud. So when you have people and processes that are fully remote, yet your packages are on-premises or merely cloud based, availability, performance, and productivity suffer. Engineers struggle to collaborate and access packages at the rate they need. Everyone gets hampered by downtime delays and slower build processes. And costs spiral for DevOps because you have to spend so much money and effort standing up instances around the globe; dealing with VPNs, clustering, and CDNs; and maintaining and scaling your package manager.

Cloud-native solutions like Cloudsmith, on the other hand, alleviate these pains, dramatically simplifying and optimizing the way teams work. They’re turnkey. They’re built from the ground up to capitalize on today’s cloud capabilities and the marvels yet to come. And while the benefits of cloud-native package management solutions are vast, a few notable perks include:

• higher reliability—they’re built for availability and reliability on a global scale, ensuring that the smallest customers benefit from the same infrastructure investments that are supporting the largest customers;
• faster software delivery and distribution; 
• improved efficiency and productivity;
• greater competitive advantage—because teams now have the bandwidth to rapidly react to changes in the market and the reliability and performance they need to release more quickly;
• instant platform enhancements—cloud-native platforms release new and improved features that are immediately available to users without the need for an upgrade project;
• a consistent user experience everywhere in the world; and
• cost savings, thanks to a lower total cost of ownership.

What to look for

Don’t confuse a cloud-based platform for a cloud-native platform. This might be the biggest gotcha in choosing a new artifact management solution. The terms ‘cloud hosted’ and ‘cloud based’ have emerged as a smokescreen to disguise on-premises enterprise platforms that have simply been hosted on the cloud, as separate single-tenant instances. This means scaling up for heavy loads, and delivering globally as a CDN, will be more challenging and put more onus on the customer. (Check out Cloud-Native vs Cloud-Based: What’s the Difference? and Cloud-Hosted or Cloud-Native? for more on how the two models differ).

The simplest way to tell whether a platform is cloud native or cloud based is to ask vendors outright. But if they’re evasive, know that a cloud-native solution has:

• built-in high availability, so you don’t need to specify up front what geographies you might need to support or how much load you think you might need to scale for;
• automatic scaling without intervention by DevOps—ideally with elastic load balancing and node layers that instantly increase capacity as service demand rises;
• low latency
• fully distributed workloads;
• multiple data centers, regions, and availability zones—with redundancy built in at each service layer and platform layer.

Fully Managed

Self-managed package management solutions divert valuable time and resources away from core development and deployment activities. They require your DevOps team to handle tasks such as server provisioning, configuration, updates, and scaling on its own. These substantial overheads make it hard to maintain a stable and secure infrastructure because day-to-day upkeep quickly becomes your full-time occupation, leaving little resource left to keep pace with evolving security threats or adopt new features and improvements.

A fully managed artifact management solution, on the other hand, offers numerous benefits, including:

• more time for your team to focus on strategic initiatives;
• lower total cost of ownership;
• increased team productivity;
• reduced downtime; and
• up-to-date security patches and performance optimizations.

What to look for

When evaluating package management platforms, check for these specific features and functionality to see if a tool is truly fully managed:

• automated scaling—a fully managed platform should dynamically scale resources based on demand to ensure optimal performance during peak usage periods;
• availability metrics—compare vendors’ historic metrics for uptime, performance, and incidents to determine which is delivering the most reliable, hassle-free experience and whether the platform is being fully managed well;
• integration with popular CI/CD tools so that it will seamlessly incorporate into your development pipeline.
• built-in monitoring and analytics tools for insights into your usage patterns and potential issues.

I hope this list helps you flesh out your selection matrix, equips you for conversations with vendors, empowers you to make smart decisions, and sets your team on a path to success. Good luck, happy shopping, and if you’d like to add Cloudsmith to your mix of artifact management solutions to explore, start a fully-featured Cloudsmith free trial or get in touch and we’ll happily answer all of your questions!