What is JFrog?

JFrog provides tools for software development and DevOps. It is best known for its flagship product, Artifactory, which is a repository manager that supports software packages created by any language or technology. Artifactory allows developers to manage binary artifacts, integrate with continuous integration (CI) and continuous delivery (CD) systems, and supports software deployment in a scalable and efficient manner.

Why Connect JFrog to Qwak?

Integrating JFrog with Qwak benefits organizations by enabling the use of Qwak's comprehensive management features for models, metadata, and lifecycle, alongside centralizing model management in Artifactory. This consolidation allows organizations to oversee all software components and dependencies through the JFrog platform, ensuring a unified source of truth. It facilitates control and monitoring of both internal and external resources and software dependencies within the organization.

  • Seamless Persistence: ML models developed and recorded in Qwak, including datasets, serving images, and related artifacts, are automatically stored in JFrog's Artifactory. This ensures that all model components are securely managed and easily accessible.
  • Dependency Management: The resolution of model dependencies is efficiently handled through JFrog's Artifactory. This process allows for the specification of certain remote repositories to be used, optimizing the management of dependencies by leveraging Artifactory's unique capabilities.
  • Enhanced Security: HuggingFace models utilized within Qwak models are automatically scanned and analyzed by JFrog Xray. This step significantly boosts security by ensuring thorough analysis and risk assessment of the models used in production.

Connecting JFrog


Admin Credentials Required

An Admin token is required for establishing a connection between Qwak and JFrog.

To integrate JFrog with Qwak, you'll need:

  1. JFrog Base URL: This is the web address of your JFrog instance, such as https://qwak.jfrog.io/
  2. Access Token: An access token with Administrator rights is required. Qwak utilizes this token initially to set up a group administrator for a Qwak-generated project and subsequently used this dedicated token for operations.

Dependency Resolution

You have several options to tailor how build dependencies are resolved:

  • Python Repositories: Choose specific Python repositories from your JFrog account to resolve dependencies. These selected repositories will be incorporated into a virtual repository created by Qwak, named "qwak-python-dependencies-virtual." This is the only repository Qwak uses for Python dependency resolution. Additionally, selecting the "allow external Python dependencies" option will include "pypi.org" in the virtual repository, allowing for the resolution of dependencies from outside JFrog.
  • HuggingFace Repositories: Opt to use an existing HuggingFace repository or let Qwak create one on your behalf. This ensures HuggingFace model dependencies are resolved through the Artifactory proxy instead of directly from HuggingFace, enhancing control and security.

Created Resources

The JFrog account will include the creation of several components:

  • qwak project: This is a new project initiated and managed by Qwak. All resources related to Qwak will be organized under this project
  • Group Admin: A group Role will be established with admin privileges on the project.
  • qwak-python-dependecies Virtual repository: This repository serves as the centralized location for resolving Python dependencies.
  • qwak-huggingface-proxy-remote: If 'create HuggingFace proxy' selected - a hugging face remote repository will be created in the Qwak project - used as cache for all used HuggingFace ML models.

Overview of Repository Structure in JFrog Artifactory for Qwak Builds

The layout of a Qwak build within JFrog Artifactory is organized as follows:

ā”œā”€ā”€ huggingface-remote (single remote repo to HuggingFace. Not necessarily generated by Qwak)
ā”œā”€ā”€ pypi-remote/pypi-private-repos (Not necessarily generated by Qwak)
ā”œā”€ā”€ qwak-python-dependencies-virtual (Qwak generated virtual repository)
ā”œā”€ā”€ ā€¦
ā”œā”€ā”€ qwak-<Qwak-Project>-artifact-local
ā”œā”€ā”€ qwak-<Qwak-Project>-dataset-local
ā”œā”€ā”€ qwak-<Qwak-Project>-docker-local
    ā”œā”€ā”€ <Qwak-Model>
        ā”œā”€ā”€ <Qwak-Build-ID> (Docker artifact)
            ā”œā”€ā”€ manifest.json
            ā”œā”€ā”€ ...

For each project, three specific repositories are generated:

  • qwak-<Qwak-Project>-artifact-local: a generic repository, hosting the artifacts produced by the build.
  • qwak-<Qwak-Project>-dataset-local: a generic repository, containing the dataset artifacts logged by the user during the build process using qwak.log_data.
  • qwak-<Qwak-Project>-docker-local: A Docker repository that stores the serving images, which are the final output of the build process. These images are used for deployments.

Each model and build is contained within its distinct folder under the respective repository.

Scanning for Vulnerabilities in HuggingFace Models

During the build process, Qwak retrieves HuggingFace models through Artifactory. Each model cached in the remote repository is scanned by JFrog Xray, which not only checks for vulnerabilities but also examines the licensing of the models. This comprehensive scan ensures that every model meets high security standards. Moreover, any policies and watches configured in JFrog are respected by the integration, ensuring consistent policy enforcement and security posture.

Please note that Qwak provides only a summary of the vulnerability scans conducted by JFrog Xray. For detailed insights, you are encouraged to click the "Scan results" button. This action will redirect you to the comprehensive scan report available on JFrog's platform.