JFrog & GitHub Integration: Q&A on Implementation and Impact

The software development industry reacted with excitement to the news about the partnership between JFrog and GitHub and its potential impact on software development operations as covered in our online JFrog – GitHub Integration Tour. As VP of DevSecOps Research at IDC, Jim Mercer, commented “This announcement from GitHub and JFrog… brings together two of the most well-known platforms developers already use today in a cohesive, end-to-end vision that plays to the strengths of both solutions, simplifying how development, DevOps, and platform engineering teams work.”

Fueled by joint customer and community demand, the JFrog and GitHub partnership provides a unified roadmap for improving the speed, quality and security of DevOps, DevSecOps, MLOps, and AI practices

With over half of customers using both solutions, it’s no wonder that so many industry professionals attended our recent “JFrog & GitHub: Leaping Forward Together“ webinar. Many of them were interested in how the integration affects their operations while others wanted to know the long term vision both companies had for DevOps going forwards.

Here are some highlights from the questions asked by webinar attendees:

Q: Does the Frogbot GitHub Advanced Security (GHAS) integration work with on-prem versions of GitHub & Artifactory?
A: Yes, you can take advantage of the integration whether you are using JFrog and GitHub’s SaaS/managed offerings or the self-hosted offerings.  

Q: Does the JFrog and GitHub integration require Github and JFrog Advanced Security?
A: The GitHub Advanced Security addon is not required to benefit from many aspects of the GitHub and JFrog integration. If GitHub Advanced Security is enabled then you can consolidate security results from JFrog into GitHub Advanced Security for a single pane of glass view of Security across code and binary. You can use the same functional aspects with a Self Hosted GitHub Enterprise. 

Q: In terms of GitHub, is there any benefit from using Frogbot over the JFrog Xray CLI?
A: They both perform the same functionality but the way in which is used is different and still leverage the CLI. Frogbot is for repo scanning, scanning on pull requests, and other native GitHub functions. The JFrog CLI for Actions allows you to leverage Xray and the JFrog Advanced Security features as part of your build process and SDLC

Q: Will GitHub UI be enhanced to show Artifactory packages?
A: Yes, we have currently added the “JFrog Summary” for each build which links to the binaries produced and published to Artifactory. This includes linking and location of the final build binaries, a link to the build that was produced, and also vulnerability information. 

Q: Are there specific JFrog products which must be deployed to take advantage of the integration – do you have to use JFrog’s CI/CD solution to really benefit?
A: To maximize the benefit of the GitHub and JFrog integration it is recommended to leverage JFrog throughout your CI/CD process, curating and managing binary dependencies as well as serving up and managing the lifecycle of build outputs. You can use any of our tiers with Xray for the GitHub Actions integration. To take advantage of the advanced features, you will need EnterpriseX and above. 

Q: Would we be able to export or search across that SBOM data?
A: SBOMs are produced and stored in the JFrog Platform. These can be exported in either the CycloneDX or SPDX formats, these formats can come in either JSON, XSL, or PDF 

Q: How does the SSO portion of this partnership work for GitHub EMU customers?
A: The interaction should be the same for enterprise managed customers, whether you are using a Self Hosted or Hosted GitHub solution.

Q: Does the integrated code scanning solution leverage GitHub Advanced Security’s (GHAS) SARIF ingestion – does this integration require GHAS?
A: The GitHub Advanced Security add-on is not required to benefit from many aspects of the GitHub and JFrog integration. If GHAS is enabled then you can consolidate security results from JFrog into GitHub Advanced Security for a single pane of glass view of Security across code and binary. 

Q: Will the joint offering replace GitHub packages, and if so, what are the advantages?
A: You can still use GitHub packages, but the preferred method from here on in, is to use Artifactory for your packages. That would include all the dependencies and builds that are used in production. Keep in mind, the Jfrog Platform is the industry standard for package management and an integral part of securing your software supply chain.

Q: Does the infinity symbol and “Better Together” slogan suggest using the GitHub and JFrog solution is better than JFrog and GitLab or GitHub and Sonatype?
A: The infinity symbol represents the DevSecOps lifecycle. JFrog remains committed to being universal in nature with our products and will still provide the same level of service for all tools and technologies that an organization chooses.  What makes this partnership so important, is that it brings together GitHub and JFrog, the two top tier solutions in the SDLC space, in a tight integration which has tangible benefits over other solutions. Behind the advantages of this integration, JFrog Artifactory has many benefits when compared to products like Sonatype.

Q: Can we use an OIDC connection setup and afterwards get a temporary username/password to use with standard tools such as Maven, npm and Docker?
A: The OIDC will return a token with a short lifespan to use in GitHub Actions. This token can also be leveraged when using JFrog CLI as seen in this example.

Q: Do you still need a GitHub advanced security license to use JFrog SAST and SCA? Will the JFrog scan results be available in the GitHub code scanning section?
A: Yes, the results of JFrog scans are available on the security tab in the GitHub code scanning sections. Regarding GitHub Advanced Security, we recommend setting up a meeting with JFrog as there are many aspects of security to consider and you really need to evaluate how to get maximum benefit from the integration of both security solutions.

We hope this Q&A review has been helpful. If you have your own questions about the impact of the exciting JFrog and GitHub partnership on your development operations, then take the JFrog – GitHub Integration Tour and see how these two leading solutions work together.

If you would like to hear  more about how GitHub & JFrog are transforming the industry directly from the executives and developers who are  making it happen, then you must attend swampUP, JFrog’s premier annual DevOps conference, Sep 9-11 in Austin, TX and make sure not miss the “Elevating Innovation: GitHub & JFrog Paving the Way Forward” keynote address.