ar130405 - Fotolia
JFrog and GitHub unveil open source security integrations
Secure software specialist JFrog is working with code development service GitHub to integrate the onboard capabilities of its Software Supply Chain Platform service into GitHub’s platform
Software security specialist JFrog and open source development community service GitHub are unveiling integrations that bring the capabilities of JFrog’s Software Supply Chain Platform to bear within GitHub’s code development platform.
The partners claim the tie-up will deliver a unified view of project status and security posture, hopefully enabling developers to address potential vulnerabilities earlier in the software development cycle, improving their efficiency, and reducing both cost and risk.
JFrog said the integration also extended its vision to integrate security into every stage of software development from planning to production.
“Developers often don’t realise there’s an issue until something breaks; it’s only then that they can start piecing together the puzzle to find out what went wrong,” said Yoav Landman, chief technology officer (CTO) and co-founder of JFrog.
“Our partnership with GitHub empowers teams to seamlessly navigate between code development and binary storage, enabling a more intuitive workflow.
“This integration is expected to enhance the developer experience and traceability, ensuring they can easily connect their source code with the corresponding binaries while maintaining a consolidated view of security so they can focus on delivering high-quality software without the worry of unseen vulnerabilities,” said Landman.
A recent JFrog report found that only 56% of organisations were using both source code and binary scanning to secure their software supply chain, leaving thousands of businesses open to attack at the most fundamental level – a very risky proposition as threat actors continue to prove highly adept at uncovering both bugs and flaws, and sensitive information stored in binaries.
The recent discovery by JFrog researchers of a token accidentally left in a Docket container that granted full access to the Python package repository aptly demonstrates this point – had it been exploited, tens of millions of systems all over the world, including many running core internet and cloud infrastructure, would have been impacted.
Single platform to secure workflows
At its heart, the partners expect the integration to offer developers an easier and safer way to trace the provenance of open source code from source to the resulting binaries across both platforms. The tie-up will accomplish this via three key methodologies, they explained.
The first of these, dubbed Bidirectional Code Navigation and Job Visibility, will help developers navigate from GitHub Actions Workflows to JFrog Artifactory, and back again, using a list of packages created under the output of the build to where it’s ultimately deposited. This will extend to software bill of material (SBOM) packages, which may help teams get a better grasp of code provenance, dependencies and so on.
The second methodology, Unified, Secure Single Sign-On (SSO), will help address problems that arise when switching between development environments. Traditionally, this process relied on tokens that can accidentally bring with them tremendous risk. Using OpenID Connect SSO support, GitHub Actions and the JFrog Platform will establish a trusted relationship and automate token management to verify developers’ identification, letting them hop from one environment to the other quickly and easily.
Finally, Consolidated Security Status Dashboards will provide developers with unified dashboards, letting them see security scan results from the respective GitHub and JFrog tools, along with permissions and identity management, to help them identify problems faster.
GitHub Copilot
Alongside the main announcement, JFrog has also unveiled its participation in GitHub’s existing Copilot Extensions programme, which is designed to unlock developer productivity via a chat feature that helps answer common questions relevant to their JFrog and GitHub environments, eliminating the need to sift through reams of documents or spend time searching forums.
Read more about open source security
- In this instalment of IT Ops Query, Emily Fox talks about how reevaluating 50-year-old open source security practices could lead the community somewhere new.
- In April 2024, the discovery of a backdoor in the open source XZ Utils data compression caused concern. A more thoughtful approach is needed to balance the individual freedom and creativity of open source, with more rigorous security practice.
- Security trends report from open source firm Suse shows the approaches IT leaders take to secure their software supply chain.