Blog Home

Elevating DevSecOps: JFrog and GitHub’s Unified Platform Experience Deepens

Kristian Taernhed

By Kristian Taernhed, Senior Technical Alliance Manager

6 min read

JFrog-and-GitHub-Unified-Platform-863x300-1.png
The partnership between JFrog and GitHub continues to advance how enterprises release trusted software with speed. At GitHub Universe, we are releasing two updates that deepen the connection between our two best-of-breed platforms. JFrog’s platform now integrates seamlessly with GitHub Advanced Security, enabling GitHub Copilot Autofix to remediate vulnerabilities detected by JFrog SAST automatically. In addition, JFrog Runtime Security findings have now been added to the JFrog Job Summary page in GitHub Actions.

GitHub Copilot Autofix + JFrog: Seamless Security for Developers

Developers are expected to write new and more complex code to create leading-edge features in new software releases at a relenting pace. To do this they are looking for help from AI assistants like GitHub Copilot to help write better code, faster. They want to write, debug, and secure their code simultaneously, driving the need for leading-edge products like Copilot Autofix.

JFrog’s Advanced Security offers comprehensive static application security testing (SAST) coverage, identifying a wide range of vulnerabilities across multiple languages such as Python, Java, JavaScript, and Go. Extensive and detailed data analysis, combined with targeted remediation advice, helps developers swiftly address and rectify security flaws, significantly enhancing the overall security of their applications from the start.

How does this affect development teams? According to a recent IDC report, 69% of developers agree that their security-related responsibilities require them to switch contexts frequently. This context-switching can significantly impact productivity and potentially lead to security oversights.

Now, JFrog’s SAST capabilities integrate with GitHub Copilot Autofix, to bring security fixes directly into the developer’s workflow. This allows developers to address issues across multiple languages in a few clicks. JFrog identifies problematic code in pull requests, flagging security vulnerabilities to Copilot Autofix, which then uses this information to generate specific fix suggestions, showing developers exactly what code changes are needed.

JFrog-Github-Unified-Platform-image1.png

Copilot Autofix also provides developers with the ability to automatically generate new pull requests with suggested fixes for security issues found in the existing codebase. Developers can quickly review these changes and merge them with minimal effort. Each suggestion includes an explanation of the issue and the reasoning behind the fix, improving developer security awareness and keeping them in control of the process.

To prepare your repository to use Copilot Autofix with JFrog’s SAST findings, follow the instructions below:

  1. Navigate to the repo’s Security tab, select ‘Explore workflows’ under code scanning settings, or click ‘Add tool’ if a tool is already configured.
    JFrog-Github-Unified-Platform-image5.png
  2. In the Actions workflow selection screen that appears, switch the query from ‘code scanning’ to ‘JFrog SAST’, select the ‘JFrog SAST’ workflow, and hit ‘Configure’.
    JFrog-Github-Unified-Platform-image2.png
  3. Follow the workflow instructions, including adding the required JFrog tokens to your repository’s secrets, and commit the workflow to your repository. Scans will run based on your workflow’s configured triggers. You can verify JFrog SAST’s setup on the code scanning status page in the repo’s Security tab.

Note: With the current setup, vulnerability detections will be active immediately. Once Copilot Autofix for JFrog is enabled in preview for all customers, you will automatically receive fix suggestions for newly identified vulnerabilities and can generate fixes on-demand for existing alerts.

By integrating the JFrog Platform’s advanced SAST capabilities directly into the GitHub workflow, we’re making it easier than ever for developers to write secure code from the start. You no longer need to context-switch between your development environment and security tools—everything you need to code securely is in your GitHub interface.

Runtime Security: Real-Time Production Insights

Keeping your applications secure in runtime is complex and organizations can struggle with maintaining real-time visibility into runtime vulnerabilities to manage and prioritize risks and ensure deployment integrity effectively. The ultimate goal is to quickly identify and remediate vulnerabilities while minimizing business impact and accurately tracking all runtime components.

Runtime security is crucial for protecting applications in production environments, where the most challenging and potentially damaging threats often emerge. JFrog Runtime Security is a real-time Kubernetes monitoring solution that protects applications during execution and addresses core security challenges.

JFrog-Github-Unified-Platform-image3.png

Key benefits of JFrog Runtime Security include:

  • Runtime visibility: Centralized view of the runtime environment with rich, contextual data for accurate security vulnerability and risk detection.
  • Advanced triage and prioritization: Focus on critical issues in runtime through contextual analysis, filtering out irrelevant alerts, and prioritizing events based on potential business impact.
  • Verified application integrity in production: Seamless integration between the software supply chain and production environment, automatically alerting on unauthorized modifications and drifts to running images.

JFrog Runtime’s integration brings real-time production monitoring data directly into your GitHub workflow. After a build is completed in GitHub Actions, a link to the JFrog Runtime Live assessment dashboard is automatically added to the JFrog Job Summary page. This creates a new “Runtime Monitoring” section, filtered for the specific component built into that action. With a single click, developers and security teams can move from their GitHub workflow to a detailed view confirming the integrity and lineage of their build and deployment.

JFrog-Github-Unified-Platform-image4.png

Delivering a Unified and Secure Software Supply Chain

These new JFrog and GitHub integration capabilities represent a step forward in unifying DevSecOps practices across source code and binaries. By combining JFrog’s industry-leading security insights with GitHub’s powerful development platform, we’re together enabling teams to:

  • Detect and fix security issues earlier in the development process
  • Reduce the attack surface of applications before they reach production
  • Prioritize critical risks efficiently through advanced contextual analysis
  • Verify application integrity in production
  • Maintain a continuous security posture from code commit to production deployment

The result is a more secure, efficient, and transparent software development life cycle that meets the needs of modern, fast-paced development teams.

Ready to experience these powerful new features for yourself? Register for this webinar to learn how JFrog and GitHub are reshaping the future of secure software development.

Popular Tags