GitHub and JFrog Partner To Unify Code and Binaries for DevSecOps

This partnership between GitHub and JFrog enables developers to manage code and binaries more efficiently on two of the most widely used developer platforms in the world.

GitHub JFrog Integration

Note: This post is co-authored by JFrog and GitHub and has also been published on the GitHub blog

As the volume of code continues to grow exponentially, software developers, DevOps engineers, operations teams, security specialists, and everyone else who touches code are increasingly spending their time in the weeds of securing, delivering, and scaling software. This bottles up creativity and ultimately slows software development for every organization.

Today, we’re announcing a new partnership between GitHub and JFrog that promises to give that time back by letting developers manage code and binaries more efficiently on two of the most widely used developer platforms in the world.

Fifty percent of JFrog’s customers already use GitHub as their primary code repository to get the best of both source code and binary management. Now, developers will be able to build, secure, and innovate all from one dashboard, never needing to switch context or slow down.

Together, we’ve built an integration that includes intuitive navigation and traceability between source code and binaries, CI/CD with GitHub Actions and JFrog Artifactory, and a unified view of security findings across the software supply chain. By providing full control and visibility across the entire software supply chain, we are accelerating our joint vision of making developers’ lives easier and happier.

Here’s how it works

Flow chart demonstrating how GitHub and JFrog interact throughout the software development lifecycle.

Manage access and roles with single sign-on (SSO) across both platforms. We’ve integrated single sign-on (SSO), project role mapping and access management, and CI integration across both platforms. With centralized user identity and access management (IAM), users won’t need to worry about multiple logins.

The world of software supply chain management introduces many challenges and points of friction for developers. The integration between JFrog’s Software Supply Chain Platform and GitHub’s Developer Platform was designed to provide a ‘secure by default’ developer experience,” said Gerard McMahon, Head of ALM Tools and Platforms for Fidelity Investments. “This collaboration gives developers a single source of truth for code and binaries, and security teams gain full traceability and a unified view to monitor and remediate threats, reducing risk.”

Track artifact lifecycles with integrations between GitHub Actions and JFrog Artifactory. We’ve also integrated GitHub Actions with JFrog Artifactory to provide better tracking for stored artifacts. Binary artifacts generated by Actions will include metadata and processes as part of the binary data in JFrog Artifactory, making them a first-class citizen in software bill of materials (SBOM) generation.

We are thrilled to see some of the enhancements come to life; we believe this collaboration between GitHub and JFrog has the potential to significantly impact the DevOps landscape,” noted Amol Shukla, Distinguished Engineer, Morgan Stanley. “For instance, establishing bi-directional links between GitHub Actions Workflows, and Release Artifacts created and stored in Artifactory could enhance the development experience and traceability across the software supply chain.”

Simplify governance with bidirectional linking between source code and binaries. To further increase visibility, we’re linking software packages and code bidirectionally to allow for precise tracking and triage by natively linking code with built packages, which provides deeper compliance and security-oriented outputs for attesting to provenance and origin.

JFrog Job Summary, and Build-Info SBOM pointing back to GitHub JobJFrog Job Summary, and Build-Info SBOM pointing back to GitHub Job

What’s coming next

A unified view of software supply chain security state. One of our first priorities is to integrate our respective security offerings to provide a holistic view of the software supply chain security state across both platforms into GitHub dashboards.

Ask GitHub Copilot Chat about JFrog processes, artifacts, and more. We’re also bringing JFrog into GitHub Copilot Chat so you can ask Copilot questions about artifacts in JFrog Artifactory, JFrog processes and configuration, and even advice about the best software packages and versions to use. This brings GitHub Copilot into the broader software supply chain to deliver a more complete view of the software development lifecycle.

Beyond DevOps and DevSecOps practices, the future will require advanced interactions with AI tools,” noted John Nuttall, Director of Technology for AT&T. “Chatting with GitHub’s Copilot to select the right and secure software package based on the extensive metadata stored in JFrog Catalog can be a game-changer. This integration will significantly enhance the efficiency of Copilot users across the software supply chain; binary-focused and code environments. This partnership offers the best of both worlds.”

Enterprises worldwide want solutions that work together to provide the best security, management, and operations capabilities across their software supply chains from code to production. As GitHub and JFrog commit to bringing customers the most powerful solution available together, we look forward to driving modern development forward.

 

Witness the power of GitHub and JFrog together on June 13.

Register for our joint webinar