JFrog and GitHub expand partnership to empower developers with secure unified management interface and Copilot Chat

September 18, 2024 - JFrog, the streaming software company and creator of the JFrog Software Supply Chain Platform, and GitHub, the world's leading code development platform, recently released a new integration feature at the JFrog Annual User Conference. Through continued deepening cooperation, developers can be provided with a comprehensive view of project status and security posture, helping them quickly resolve potential vulnerabilities discovered by the company's advanced security products. In addition, to help developers quickly understand third-party software packages, the two parties also announced the launch of the Copilot Chat extension plug-in to quickly select updated, enterprise-approved, and safe-to-use software packages.

“For developers to be more productive, they need full visibility into the quality and security of the code and binaries they integrate into their software,” said Yoav Landman, CTO and co-founder of JFrog . “Our collaboration with GitHub enables teams to quickly understand and ensure trust in this information using Copilot. Our partnership also enables developers to build and release trusted software faster through more intuitive workflows that allow them to navigate between code and binary artifacts produced during the build process. We are on a journey together and look forward to delivering a unified platform experience to our customers.”

According to the "2024 Global Software Supply Chain Development Report" released by JFrog , only 56% of companies use both source code and binary scanning to protect their software supply chains, which puts nearly half of the companies at risk of binary-level security vulnerabilities, which poses a huge security risk to enterprises. At the same time, the JFrog security research team recently discovered that a token was accidentally left behind in the Docker container, which granted full access to the Python package repository. If this token is discovered and exploited, it will affect tens of millions of computer systems around the world, which support most of today's Internet and cloud infrastructure, automated work tasks, financial services, and data analysis.

Create secure developer workflows by integrating best-of-breed source and binary platforms

The JFrog and GitHub integration promises to provide an easier and more secure way to track the code lifecycle from source code to generated binaries on both platforms, with the following key features:

• Get deep insights into packages with Copilot Chat integration: The new GitHub Copilot extension makes developers more productive by providing deep insights into open source packages in the JFrog binary environment, along with GitHub code data, eliminating the need to search documentation or online forums. The recommendations provided are aligned with corporate governance policies, allowing developers to select packages based on security and market adoption, making smart choices for the business. Combining Copilot's chat capabilities with JFrog's artifact metadata creates a powerful AI assistant for developers.

• Integrated security dashboard: A unified view of security scan results from GitHub Advanced Security and JFrog Advanced Security (including the scanner that discovered the aforementioned Python vulnerability) can help developers identify and eliminate potential software vulnerabilities early in the development lifecycle, saving time and reducing risk.

• Bidirectional end-to-end release traceability: The new job summary page on GitHub provides developers with a quick view of each GitHub Actions workflow run and security status, allowing developers to quickly view the output packages of each build and easily jump to locations in JFrog Artifactory and back. This bidirectional navigation enhances software traceability by leveraging the software bill of materials (SBOM) stored in JFrog Artifactory.

• Dynamic project mapping and authentication: Leveraging the current OpenID Connect (OIDC) integration, we have improved automatic authorization and seamless project mapping between GitHub repositories and JFrog projects in Artifactory, eliminating the need for developers to re-authenticate to each repository.