JFrog and GitHub unveil open source security integrations


Software security specialist JFrog and open source development community service GitHub are unveiling integrations that bring the capabilities of JFrog’s Software Supply Chain Platform to bear within GitHub’s code development platform.

The partners claim the tie-up will deliver a unified view of project status and security posture, hopefully enabling developers to address potential vulnerabilities earlier in the software development cycle, improving their efficiency, and reducing both cost and risk.

JFrog said the integration also extended its vision to integrate security into every stage of software development from planning to production.

“Developers often don’t realise there’s an issue until something breaks; it’s only then that they can start piecing together the puzzle to find out what went wrong,” said Yoav Landman, chief technology officer (CTO) and co-founder of JFrog.

“Our partnership with GitHub empowers teams to seamlessly navigate between code development and binary storage, enabling a more intuitive workflow.

“This integration is expected to enhance the developer experience and traceability, ensuring they can easily connect their source code with the corresponding binaries while maintaining a consolidated view of security so they can focus on delivering high-quality software without the worry of unseen vulnerabilities,” said Landman.

GitHub CTO Jason Warner added: “We couldn’t be more excited about our collaboration with JFrog to create a seamless, secure developer experience by providing all pertinent information related to the status and security of their builds in one place.

“Combining the strength of JFrog and GitHub is expected to significantly enhance the security of the entire software supply chain from source code to the binaries.”

Combining the strength of JFrog and Github is expected to significantly enhance the security of the entire software supply chain from source code to the binaries
Jason Warner, GitHub

A recent JFrog report found that only 56% of organisations were using both source code and binary scanning to secure their software supply chain, leaving thousands of businesses open to attack at the most fundamental level – a very risky proposition as threat actors continue to prove highly adept at uncovering both bugs and flaws, and sensitive information stored in binaries.

The recent discovery by JFrog researchers of a token accidentally left in a Docket container that granted full access to the Python package repository aptly demonstrates this point – had it been exploited, tens of millions of systems all over the world, including many running core internet and cloud infrastructure, would have been impacted.

Single platform to secure workflows

At its heart, the partners expect the integration to offer developers an easier and safer way to trace the provenance of open source code from source to the resulting binaries across both platforms. The tie-up will accomplish this via three key methodologies, they explained.

The first of these, dubbed Bidirectional Code Navigation and Job Visibility, will help developers navigate from GitHub Actions Workflows to JFrog Artifactory, and back again, using a list of packages created under the output of the build to where it’s ultimately deposited. This will extend to software bill of material (SBOM) packages, which may help teams get a better grasp of code provenance, dependencies and so on.

The second methodology, Unified, Secure Single Sign-On (SSO), will help address problems that arise when switching between development environments. Traditionally, this process relied on tokens that can accidentally bring with them tremendous risk. Using OpenID Connect SSO support, GitHub Actions and the JFrog Platform will establish a trusted relationship and automate token management to verify developers’ identification, letting them hop from one environment to the other quickly and easily.

Finally, Consolidated Security Status Dashboards will provide developers with unified dashboards, letting them see security scan results from the respective GitHub and JFrog tools, along with permissions and identity management, to help them identify problems faster.

GitHub Copilot

Alongside the main announcement, JFrog has also unveiled its participation in GitHub’s existing Copilot Extensions programme, which is designed to unlock developer productivity via a chat feature that helps answer common questions relevant to their JFrog and GitHub environments, eliminating the need to sift through reams of documents or spend time searching forums.



Source link