We are looking to do a Gitlab / Jenkins - Artifactory CI setup. A query on audit information came up.
What audit trail of builds is available in Artifactory to demonstrate to audit teams the link between a build that ran on Gitlan / Jenkins linking it to a particular binary that was stored in an Artifactory repo? Does Artifactory keep tracking info on the binaries pushed to it by Gitlab CI / Jenkins?
I hope I was able to frame my query correctly. Please feel free to ask if I need to clarify further.
That kind of audit trail may not be available in Artifactory, you need to build this traceability across tools as per your organization requirements. If Jenkins is the CI engine and responsible for creating the build, in the job configuration you will find that a version parameter can be created. You can create a very specific version for each build artifact for example branchname+jenkinsjobname+timestamp and you will get an output file concatenatedstring_timestamp.jar and this will be pushed into Artifactory with a specific non-human user which is already integrated between the two applications. In Artifactory you will be able to see which user pushed the artifact. And when this concatenatedstring is seen in Artifactory by an audit team, they will also be able to see a unique branchname and jenkins job name with a timestamp which provides the traceability as per audit requirements.
This tracebility needs to be built in scenarios when we do not use the same tool for all operations. For example if you used GitLab itself for SCM, CI and Artifact Management within the same product, traceability comes OOTB.