JFrog deepens its partnership with GitHub, launches runtime security service

Earlier this year, software supply chain platform (and binary specialist) JFrog announced a partnership with GitHub that, among other things, allowed developers and the teams that support them to trace code from source to binary package across the two platforms. On Tuesday, at JFrog's SwampUp conference in Austin, the two companies are extending this early work on their integrations with a focus on security.

In addition, JFrog is launching a runtime security solution, as well as an integration with Nvidia's NIM microservices, which expands its ambition as an MLOps platform after it acquired Qwak earlier this year.

Deeper GitHub integration

JFrog CEO and co-founder Shlomi Ben Haim told me that the idea behind the GitHub partnership was always meant to go deeper than the original integration the two companies announced in May. JFrog's and GitHub's customers, he said, wanted the two companies to break down the walls between their products so they could choose the best-of-breed platforms for managing their source code and their binaries. What customers are telling him, Ben Haim said, is that they want a single pane of glass.

"What we hear from our users is: 'Listen, this is very important. Source code security — very important. Software supply chain security — very important," he said. "But we cannot just keep running between tools and scanners. We want to have one pane of glass to see all findings to be able to remediate faster, to be able to react faster, to be able to have full traceability for all sources. And JFrog comes with the binaries findings, while GitHub comes with the source code findings, so that everything will be on the developer platform, displayed on the GitHub security tab."

Essentially, this means that JFrog Advanced Security and JFrog Curation, its service for tracking which open source packages are being used by developers, is now integrated directly with GitHub's Advanced Security service.

“Developers often don’t realize there’s an issue until something breaks; it’s only then that they can start piecing together the puzzle to find out what went wrong. Our partnership with GitHub empowers teams to seamlessly navigate between code development and binary storage, enabling a more intuitive workflow," said JFrog CTO and co-founder Yoav Landman. "This integration is expected to enhance the developer experience and traceability, ensuring they can easily connect their source code with the corresponding binaries while maintaining a consolidated view of security so they can focus on delivering high-quality software without the worry of unseen vulnerabilities.”

JFrog is now also participating in GitHub's Copilot Extensions program, allowing developers to use Copilot Chat to ask coding questions about JFrog's platform right in their IDE.

Nvidia NIM integration

Because JFrog focuses on binaries, it's no surprise that the company also wants to manage machine learning models. There, too, enterprises are quickly realizing that they need a DevSecOps solution to manage their software/model supply chain workflow. With NIM, Nvidia aims to create a de facto standard for managing and deploying inference microservices.

“As enterprises scale their generative AI deployments, a central repository can help them rapidly select and deploy models that are approved for development,” said Nvidia's Pat Lee, who is the vice president of Enterprise Strategic Partnerships. “The integration of Nvidia NIM microservices into the JFrog platform can help developers quickly get fully compliant, performance-optimized models quickly running in production.”

JFrog's security tools will now scan and monitor the security of these models, and Artifactory, JFrog's service for storing and managing binaries, can become a company's local model registry.

Ben Haim called the company's overall strategy here "too integrated to fail." "I give you what you already chose, just with a better experience. You already chose these tools. I just want you to have a better experience," he said.

JFrog Runtime Security

JFrog is also launching a runtime security solution that now watches over the binary while in production. Since JFrog knows exactly what is running in production — and can trace how that binary came to be from source code to deployment — the service can now tell its users when a binary is vulnerable.

"JFrog Runtime Security will provide full visibility and traceability for our customers, whether they shift right or left when it comes to binary scanning," Ben Haim said.

He also noted that while JFrog obviously already secured the binaries that go into production, this is the first time the company is deploying sensors in the runtime environment.

"A platform that unifies security across the software supply chain from development to production can provide critical visibility and traceability that developers and DevSecOps teams need to manage and remediate risks effectively," said Katie Norton, research manager, DevSecOps and Software Supply Chain Security at IDC. "JFrog's addition of runtime security supports a shift-left and shift-right strategy, fostering comprehensive protection and streamlined processes that lessen the strain on development and security teams.”