Shared Services Canada (SSC) has initiated a one-year pilot project of GC Secure Artifacts, a secure, scalable, centralized artifact management service underpinned by the JFrog Enterprise+ platform, self-hosted on the GC Private Cloud.
Available to all federal departments and agencies, this service represents SSC's initial venture into a unified DevSecOps service, designed to bolster software supply chain security and expedite delivery across the Government of Canada. Outcomes of this pioneering initiative will contribute to the decision-making process regarding the project's long-term sustainability and potential expansion.
For access to GC Secure Artifacts, please complete the following GC Form:
This service supports the Government of Canada's efforts to reduce duplication. While departments currently maintain independent Artifactory instances, a centralized approach provides potential access to advanced features. These features, such as JFrog Advanced Security and/or Runtime, could be cost-prohibitive for individual departments but become feasible through pooled resources. By offering a unified secure service, we can improve cybersecurity and delivery speed while creating potential for significant savings.
GC Secure Artifacts, by consolidating efforts across departments, aims to:
- Reduce duplication: Eliminate the need for each department to purchase and manage its own tools.
- Strengthen national security: Through standardizing controls and policies involving software supply chains.
- Accelerate development: Enables developer teams to reuse trusted components without waiting for manual security approvals.
- Support compliance: Maintains traceability throughout the Software Development Life Cycle (SDLC) to meet audit and policy demands.
For further insight into the GC Secure Artifacts initiative, below is an presentation (unclassified) previously presented at the Architectural Review Committee at SSC.
As the days go by, you can see how the count evolves… here is our github public adoption(Search Results).
JFrog Platform (Enterprise Plus) offers an enterprise-grade solution for publishing and consuming build artifacts and container images.
The platform provides:
- A centralized registry for internal builds and deployments
- Advanced access controls and repository segmentation
- Built-in vulnerability scanning (via JFrog Xray)
- Support for multiple package types (Docker, Maven, NPM, Nuget, Helm, etc.)
Chainguard is a robust security tool with no known Common Vulnerabilities and Exposures (CVEs), indicating a high level of safety. The images it provides are distroless, minimal, signed, and Software Bill of Materials (SBOM) enabled, serving as a secure-by-default base layer for application development.
These images have been set up as a pull through from Chainguard's registry to our JFrog Artifactory instance and available to anyone from within the GC.
The container images which are available:
- Python
- OpenJDK (JDK & JRE)
- PowerShell
- Node.js
- ASP.NET Runtime
- .NET Runtime
- .NET SDK
This repository includes practical examples demonstrating how to integrate JFrog Platform and Chainguard Images in your CI/CD workflows.
Replace standard base images with Chainguard equivalents:
# Python
FROM artifacts-artefacts.devops.cloud-nuage.canada.ca/docker-chainguard-remote/ssc-spc.gc.ca/python:3.13.3
# Java
FROM artifacts-artefacts.devops.cloud-nuage.canada.ca/docker-chainguard-remote/ssc-spc.gc.ca/jre:openjdk-21
# Node.js
FROM artifacts-artefacts.devops.cloud-nuage.canada.ca/docker-chainguard-remote/ssc-spc.gc.ca/node:24.1.0Add JFrog CLI to your GitHub Actions:
- name: Setup JFrog CLI
uses: jfrog/setup-jfrog-cli@v4
env:
JF_URL: https://artifacts-artefacts.devops.cloud-nuage.canada.ca
JF_USER: ${{ secrets.JFROG_USERNAME }}
JF_ACCESS_TOKEN: ${{ secrets.JFROG_JWT_TOKEN }}Enable security scanning:
- name: Scan Dependencies
run: jf audit --format=simple
- name: Scan Container
run: jf docker scan $IMAGE_TAGThe repository contains complete implementation examples:
examples/
├── java-app/ # Java application with JFrog + Chainguard integration
├── python-app/ # Python application example
├── node-app/ # Node.js application example
└── .github/workflows/ # Complete CI/CD workflow templates
Each example demonstrates:
- JFrog CLI dependency scanning
- Chainguard image integration
- Container vulnerability scanning
- Frogbot pull request security
- Cost optimization features
Configure these secrets in your GitHub repository:
JFROG_USERNAME: Your Artifactory usernameJFROG_JWT_TOKEN: Your Artifactory access token
Configure JFrog CLI:
jf config add --url=https://artifacts-artefacts.devops.cloud-nuage.canada.ca
jf rt ping
jf auditAccess Chainguard Images:
docker login artifacts-artefacts.devops.cloud-nuage.canada.ca
docker pull artifacts-artefacts.devops.cloud-nuage.canada.ca/docker-chainguard-remote/ssc-spc.gc.ca/python:3.13.3For more detailed information on our project standards and guidelines, kindly refer to the following documents:
- Artifactory Standards
- Chainguard Images
- Quick Start Guide
- Frequently Asked Questinos
- Additional documents will be uploaded soon
We appreciate and welcome your inputs and suggestions to continuously improve this service to support departmental and/or agency needs.
Feel free to share your feedback by emailing us at devops.artifacts-artefacts.devops@ssc-spc.gc.ca.