Every year, JFrog brings the DevOps community and some of the world’s leading corporations together for the annual swampUP conference, aimed at providing real solutions to developers and development teams in practical ways to prepare us all for what’s coming next.
Since the inception of swampUP – and truthfully since the creation of Artifactory – JFrog has been privileged to bring solutions into the market that solve real pains for developers and enterprises with our Liquid Software vision in mind.
This year, I’m excited to say we may have the most consequential announcements in recent memory that are all based on what the community has reflected back to us alongside innovative ideas coming from the JFrog team.
As we “get ready for next” together in DevOps and DevSecOps, I am especially excited about the following advancements we announced on the swampUP stage, all of which are available now via the JFrog Platform:
Release Lifecycle Management Capabilities
JFrog is adopting a release-first approach within the JFrog Platform. This means that early in the pipeline stage, release bundles will be treated as a single entity as they are promoted between different environments through your pipeline. Signed evidence will be added at every stage (for example, security scanning data or testing data) and stored alongside the binary, validating the integrity and the provenance of the release from the beginning.
From a developer’s perspective, this provides a more uniform release, with trusted processes that apply the just-right amount of governance. For the business, this provides clear visibility into every release, easing compliance, auditing, and traceability across your workflow. Being able to identify and connect releases across the SDLC (e.g. coding and package curation) all the way to the runtime is an invaluable advancement. More details on released RLM capabilities can be found here.
The rapid rise of generative AI and ML capabilities has more than taken the PR around our industry by storm. In fact, some analyst firms predict 80-90% of ALL applications will have these components in just a couple of years. That can mean creating the next generation of nearly all applications in production today. This is a staggering task to imagine when the tools and infrastructure are not in place for Data Scientists and ML Engineers to roll out applications at scale.
Increasingly, JFrog users are getting tasked with helping out ML teams in how to build, manage, and deploy models and applications. We’re excited to be the first platform to manage ML models in the same way that our customers manage any other binary, alongside the metadata, supporting training packages and runtime dependencies you expect from JFrog. We’re starting by proxying the popular Hugging Face public model repository as a first-class repo type in Artifactory and allowing users to host their own models in Artifactory. Moreover, we allow users to layer on the detection of malicious models with JFrog Xray and prevent their use in their organization as well as block models that have a license that conflicts with your compliance policy.
By bringing mature DevOps and DevSecOps practices to model management, we look forward to setting the standard in making your software supply chain your trusted, secure ML supply chain as well. Read more on JFrog MLOps functionality.
Announcing JFrog Trusted ML Model Management
JFrog Curation and Catalog
JFrog Curation was released as general availability several weeks ago, and is already getting market traction due to its pain-solving ability to prevent software package “bad apples” from ever entering your software supply chain. This ensures teams can “fix it before it’s broken” by preventing unwanted packages at the perimeter of the organization.
JFrog Catalog brings an all-new method for development and DevSec teams to make solid choices on their packages. JFrog has rich, structured data on thousands of software packages and is making this data available to JFrog customers. As a “search engine” for packages, JFrog Catalog provides quick, rich data on nearly every OSS package imaginable, with more added constantly. Serving as the knowledge base that drives Curation policies, Catalog goes hand-in-hand with your teams to make the most accurate and secure choices based on your business policies. Learn more about JFrog Curation and Catalog.
Benefits with JFrog Curation
Static Application Security Testing has been around in the market for a very long time, but until now has had some glaring issues. For example, many tools out there today provide an excessive amount of false positives, leading many developers on the canonical “wild goose chase” of code vulnerabilities. Further, the time to scan can be excessive, and slow down development processes or require uploads of code to get results. Another common limitation is the ability to analyze code flow beyond a single source file. Further still, SAST tools until today have not been adequately tied to pipeline processes that cover a company from end to end.
We’re excited to release JFrog SAST tooling for our Advanced Security customers, which will now allow them to not only have comprehensive security on their binaries, but also protect the bespoke code developers are composing, including code generated by Gen AI. As a key requirement for this product, we invested heavily to make sure the SAST solution is lightweight and doesn’t slow developers down. By working across multiple files in your project and running locally, there are no code uploads or long scanning cycles that add friction.
With Curation stopping malicious or undesired packages from entering an organization, SAST protecting first-party code, and SCA tools and Advanced Security scanning and protecting what is in the pipeline, customers are well-positioned to go beyond application security, and truly protect every activity in the entire software supply chain with a complete shift-left portfolio. SAST from JFrog is available now.
JFrog SAST – Available Now
Our one platform, three cores, one asset approach will continue to drive our roadmap and focus, and I’m excited about the new features being brought by our RnD and Product teams to allow users to have full end-to-end trust in their software releases.