Enhanced integration delivers Copilot chat powered by comprehensive software package insights, alongside holistic software supply chain security protection from code to binaries
JFrog and GitHub today unveiled new integrations at JFrog’s annual user conference. This deepening collaboration provides developers with a consolidated view of project status and security posture to help quickly address potential vulnerabilities discovered by the companies’ respective Advanced Security offerings. Additionally, to help developers quickly gain insight on third-party packages, the companies announced a Copilot chat extension to quickly select software packages that are updated, approved by the organization, and safe for use.
“For developers to be productive, they need complete information about the quality and security of the code and binaries they integrate into their software. Our partnership with GitHub enables teams to do this quickly and with confidence using Copilot,” said Yoav Landman, CTO and Co-Founder, JFrog. “Our partnership also allows developers to navigate between code and the binary artifacts produced by the build process through a more intuitive workflow so they can build and release trusted software, faster. We’re excited about our shared roadmap, and look forward to driving a single platform experience for our customers.”
According to JFrog’s 2024 Software Supply Chain State of the Union report, only 56% of companies use both source code and binary scanning to secure their software supply chains, leaving nearly half of companies vulnerable to attacks at the binary level. This is very risky, as underscored by the JFrog Security Research team’s recent discovery of a token inadvertently left at the binary level in a Docker container that granted full access to the Python package repository. Had this token been discovered and exploited, it would have impacted tens of millions of computer systems worldwide that run most of today’s internet and cloud infrastructure, automation tasks, financial services and data analysis.
Creating Secure Developer Workflows by Uniting Best-of-Breed Source Code and Binary Platforms
JFrog’s integration with GitHub is expected to offer an easier, more secure way to trace code from its source to the resulting binaries across both platforms with the following key capabilities:
* Copilot Chat Integration for Software Package Insights: The new GitHub Copilot extension boosts developer productivity by providing insights on open-source packages within the JFrog binary environment alongside GitHub code data, eliminating the need to search through documentation or online forums. It also aligns recommendations with organizational curation policies, enabling informed software package choices that consider security and market adoption. Combining Copilot’s chat features with JFrog’s artifact metadata creates an invaluable AI- powered assistant for developers.
* Consolidated, Single Pane of Glass Security Dashboard: A unified view of security scan results from GitHub Advanced Security and JFrog Advanced Security (including the scanners that found the Python vulnerability mentioned above), helping developers address and remove potential software vulnerabilities earlier in the development lifecycle, saving time and reducing risk.
* Bidirectional End-to-End Release Lineage: The new job summary page on GitHub offers a quick view of the health and security status of each GitHub Actions Workflow, allowing developers to quickly see the output packages from each build, navigate to their location in JFrog Artifactory and back again. This bidirectional navigation utilizes a software bill of materials (SBOM) preserved in JFrog Artifactory, enhancing software lineage traceability.
* Dynamic Project Mapping and Authentication: Improved automatic authorization and seamless project mapping between GitHub Repositories and JFrog Projects in Artifactory utilizing current OpenID Connect (OIDC) integration, eliminating the need for developers to reauthenticate per repository.