Software security expert JFrog and the open-source development community platform GitHub are launching integrations that will harness the power of JFrog’s Software Supply Chain Platform within GitHub’s code development environment.
The two companies claim this collaboration will provide a comprehensive overview of project status and security, enabling developers to identify potential vulnerabilities earlier in the software development process. This is expected to enhance efficiency while lowering costs and minimizing risks. JFrog emphasized that this integration aligns with their goal of embedding security throughout all phases of software development, from planning to production.
“Developers often don’t recognize issues until something fails; it’s at that point they begin the process of uncovering what went wrong,” noted Yoav Landman, JFrog’s Chief Technology Officer and co-founder. “Our partnership with GitHub allows teams to transition seamlessly between code development and binary storage, resulting in a more intuitive workflow.”
Landman further indicated that this integration aims to improve the developer experience and traceability, ensuring developers can easily link their source code to the corresponding binaries while maintaining a consolidated view of security, allowing them to prioritize delivering high-quality software without the concern of hidden vulnerabilities.
GitHub CTO Jason Warner expressed enthusiasm for the collaboration, stating, “We are thrilled to partner with JFrog to establish a seamless and secure developer experience that provides all relevant information about the status and security of builds in a single location. The combination of JFrog’s capabilities with GitHub’s platform is set to significantly bolster the security of the entire software supply chain, from source code to binaries.”
A recent report from JFrog revealed that only 56% of organizations utilize both source code and binary scanning to ensure the security of their software supply chains. This gap leaves many businesses vulnerable to attacks at a fundamental level—a concerning trend as threat actors continue to excel at exploiting bugs, flaws, and sensitive information housed in binaries. A particularly alarming example was demonstrated when JFrog researchers discovered a token inadvertently left in a Docker container that granted full access to the Python package repository; had it been misused, it could have compromised tens of millions of systems globally, including critical internet and cloud infrastructure.
A Unified Approach to Secure Workflows
The partnership aims to create a more accessible and secure method for developers to trace the origins of open-source code from its source to the resulting binaries across both platforms. This will be achieved through three primary approaches, as detailed by the partners.
The first approach, known as Bidirectional Code Navigation and Job Visibility, facilitates navigation for developers between GitHub Actions Workflows and JFrog Artifactory. This includes tracking a list of packages generated during the build output, ultimately directing them to their storage locations. This method also extends to software bill of material (SBOM) packages, enhancing teams’ understanding of code provenance and dependencies.
The second approach, Unified Secure Single Sign-On (SSO), addresses the challenges encountered when shifting between development environments. Traditionally, this process involved tokens that carried significant risks. By leveraging OpenID Connect SSO support, GitHub Actions and the JFrog Platform will establish a trusted relationship, automating token management to verify developers’ identities, allowing for smooth transitions between different environments.
Lastly, the Consolidated Security Status Dashboards will deliver unified dashboards for developers, providing security scan results from both GitHub and JFrog tools, along with insights on permissions and identity management, enabling quicker identification of issues.
GitHub Copilot Partnership
In addition to the main announcement, JFrog has also joined GitHub’s Copilot Extensions program. This initiative aims to enhance developer productivity by offering a chat feature that addresses common queries related to JFrog and GitHub, streamlining the process and saving time otherwise spent searching through extensive documentation or forums.