JFrog-GitHub partnership eyes software supply chain security

JFrog and GitHub released a set of focused integrations that provide better visibility across the software supply chain and advance the idea of 'EveryOps.'

JFrog and Microsoft subsidiary GitHub are bringing their platforms together to provide better visibility across the software supply chain as enterprises juggle the advances of AI in software development with the criticality of security.

The partnership, a first for the companies, aims to enable teams to more easily work between the two platforms -- one for building code and the other for storing built binaries. It addresses user experience and traceability between source code and binaries, while also providing a consolidated security view.

"The partnership focuses on allowing customers to more seamlessly integrate the two solutions, focusing on their strengths -- creating a better-together scenario," said Jim Mercer, an analyst at IDC. "Both GitHub Actions and the JFrog platform tend to be stronger where the other product is weaker, so they balance one another out."

It also pushes forward JFrog's concept of "EveryOps," which seeks to converge and broaden IT operations disciplines into a universal practice.

"We do see the coming together of MLOps, DevOps, DevSecOps, etc., in both practice at organizations and in tooling," said Katie Norton, an analyst at IDC. "These processes coming together in the same tooling is just more efficient, cost-effective and secure."

Peeling back the partnership

The integrations between GitHub and JFrog are focused around three areas, according to Yoav Landman, co-founder and CTO at JFrog. The first is user experience, with a single sign-on feature and mapping between GitHub code repositories and JFrog Projects, used for managing project resources and permissions.

The second area is traceability, with integration between GitHub Actions and JFrog packages to provide bidirectional navigation between the two. A workflow in GitHub Actions creates binaries that are then stored in JFrog Artifactory, a binary manager and the company's flagship offering. Now developer teams can navigate from a GitHub Actions workflow using a list of packages created under the output of the build to where it was deposited in JFrog Artifactory and back again, according to Landman.

The bidirectional navigation extends to software bill of materials (SBOM) packages, which are stored in JFrog Artifactory as binaries. The integration makes software provenance and dependencies more accessible to developer teams, Landman said.

"We've always had this capacity, but we made it easier to consume," he said. "It's just in one place -- so you can see the output of your build and then you can navigate to the SBOM in JFrog, and from the SBOM you can go over to the build."

The third area is security, by giving customers a consolidated view of JFrog Advanced Security -- which scans binaries -- and GitHub Advanced Security, which scans source code.

"We have one place under the GitHub security view where you can see GitHub Advanced Security findings together with JFrog Advanced Security findings, and you don't have to switch contexts between different views," Landman said.

In September, during its annual user conference, JFrog will introduce another integration -- this time with GitHub Copilot. In GitHub, the generative AI bot can act as a coding assistant, but in JFrog, it will function more like a guide to the company's catalog of binaries, which includes binary versions and associated metadata.

"You will be able to consult from GitHub Copilot ... in order to pick the best packages and get insights about them," including potential alternatives, Landman said.

EveryOps and the platform

Overall, customers drove many of the integrations unveiled in this new partnership, and solutions engineering departments from the two companies also saw customer interest given their work on joint projects, Landman said.

"At the end of the day, this is what customers are doing," he said. "It's just a stamp of approval, which makes the whole experience much, much easier and much smoother for consumption."

We do see the coming together of MLOps, DevOps, DevSecOps, etc., in both practice at organizations and in tooling.
Katie NortonAnalyst, IDC

IDC's Norton described the partnership as a push toward a "one platform" experience that reduces context switching and could make supply chain security more attainable.

"These capabilities could really help organizations struggling with securing their software supply chains, and should make adopting practices like attestation and provenance more achievable," she said.

She also noted that companies like GitHub and JFrog will need to be able to provide a "frictionless experience" as they seek to achieve EveryOps or XOps, especially given the advances of AI in software development and its reach beyond developers in the enterprise.

"AI-based applications are powered by models that need to be secured, managed, tracked and deployed as part of quality software applications," Norton said. "However, for many organizations, model development is a relatively new undertaking, often occurring in isolation and lacking transparency and integration with broader, more established software development practices."

Plus, the market might just be at the beginning of this new platform era. David Vance, an analyst at TechTarget's Enterprise Strategy Group, said this partnership "shows that the developer ecosystem is still very fragmented, with multiple vendors and open source alternatives offering varying DevOps and security capabilities."

The partnership could also help JFrog and GitHub remain competitive in an increasingly noisy DevOps market.

"Organizations are looking for opportunities to normalize their DevOps portfolios, making for a very competitive situation between the key DevOps players," IDC's Mercer said. "This makes each player a bit stickier in the environments where they are already deployed and allows them to demonstrate increased value to prospects or in competitive situations against the likes of platforms such as GitLab or binary repository competitors like Sonatype and Cloudsmith."

Nicole Laskowski is a senior news director for TechTarget Editorial. She drives coverage for news and trends around enterprise applications, application development and storage.

Dig Deeper on Software design and development