Blog Home

JFrog & GitHub: Unifying the Software Supply Chain, One Step at a Time… and Our 2025 GitHub Technology Partner Award

Paul Garden

By Paul Garden, JFrog Partner and Industry Solutions

6 min read

Organizations increasingly demand platforms that not only accelerate software delivery but also provide trust, security, and traceability. At JFrog, the software supply chain is managed and secured by default, from commit to runtime. That’s why our deep integration with GitHub is central to how we help teams manage, monitor, and secure every step of software delivery. In this post, we’ll explore:

  1. The One Platform Experience of  JFrog & GitHub
  2. Seamless integration, end-to-end
  3. How we jointly support software supply chain security (and “EveryOps”)
  4. JFrog’s honor as GitHub’s Technology Partner of the Year for 2025

Two Best-of-Breed Platforms

Many organizations already utilize GitHub for source code management, pull requests, code reviews, CI/CD triggers, and collaboration workflows. Meanwhile, JFrog’s Software Supply Chain Platform (Artifactory, Xray, Curation, Advanced Security, Runtime, and AppTrust, etc.) handles artifact management, deep binary scanning, promotion, release management, distribution, and runtime visibility. These are complementary domains, but too often they’ve remained in silos.

These platforms are like apple pie and ice cream; on their own, they’re great, but the magic happens when you bring them together! The integration was co-engineered by JFrog and GitHub, and by uniting these domains, we deliver:

  • Unified visibility and traceability: You can trace a binary in Artifactory back to the precise GitHub commit, CI workflow, and associated SBOM or attestation.
  • Consolidated security view: Vulnerabilities from GitHub Advanced Security (source scanning) and JFrog Advanced Security (binary scanning) show up in a unified dashboard.
  • Seamless developer experience: Developers don’t need to context-switch between systems; they can take action from within their existing workflows.
  • Policy-driven guardrails: Promotion of artifacts, gating rules, and enforcement of attestations.
  • AI Code-generation: Through the integration, Copilot and its agents can access package metadata and JFrog security research intelligence, enabling code generation in line with organization package security policies
  • Agentic remediation: This isn’t just AI assistance; it’s agentic, autonomous code and dependency remediation that transforms DevSecOps into a self-healing software supply chain.

Indeed, the partnership is intended to realize a “secure by default, frictionless developer experience” — giving security teams full traceability and enabling developers to stay productive.

How the Integration Works — From Code to Release

Here’s a simplified flow of how JFrog and GitHub interoperate today (and continue to evolve):

Under the hood, the integration relies on modern patterns like OpenID Connect (OIDC) to get short-lived tokens for build access, ensuring secure authentication without long-lived credentials. In short, this integration dramatically reduces friction and exposure for organizations wanting one source of truth across code and binaries.

Securing the Software Supply Chain & Enabling “EveryOps”

At JFrog, we envision the convergence of DevOps, DevSecOps, MLOps, and runtime operations into a unified stack of integrity, automation, and governance. The GitHub integration is a major pillar in making that vision real. Here’s how the integration strengthens supply chain security in practice:

1. Eliminating blind spots

Many organizations focus solely on source security, or solely on binary scanning — but not both. That leaves gaps. With GitHub + JFrog, you get integrated Source + Binary security, converging alerts and context.

2. Provenance & traceability

The ability to trace exactly which commit, build, and binary corresponds to what was deployed is crucial. This gives you a tamper-evident, auditable chain of custody. The use of signed attestations and SBOMs further stiffens that chain.

3. Policy-driven gating and enforcement

You can automate policy checks not only at release time, but earlier in the pipeline. For example, rejecting builds if they depend on high-risk packages, or only allowing artifacts signed by approved keys. This reduces human error, drift, and risk.

4. Runtime alignment

Even after deployment, runtime vulnerabilities are a reality. Getting runtime awareness and correlating back to known SBOMs or artifacts is key to detecting and remediating drift or exploitation.

5. AI & self-healing aspirations

We’re enhancing AI-based agentic remediation and code intelligence (via our Copilot integration) to shift organizations from reactive to proactive security. For example, JFrog can suggest or even apply fixes in context, considering policy and historic metadata. It will also make code more resilient based on JFrog security research intelligence. 

All these capabilities make the pipeline more robust, auditable, and resilient, which is exactly what modern enterprises need when threats move fast.

A Milestone: GitHub Technology Partner of the Year 2025

We are proud to announce that JFrog has been honored as GitHub’s Technology Partner of the Year 2025. This recognition underscores the strength of our joint vision: enabling developers to move fast and safely.

“On behalf of all of GitHub, it’s my pleasure to congratulate JFrog on this well-deserved recognition. JFrog’s technical chops and strategic alignment with our product vision have been essential to delivering scalable, high-impact solutions for our customers. The Technology Partner of the Year 2025 is a testament to what happens when we collaborate and push the boundaries of innovation together. Here’s to our continued partnership as we empower organizations to unlock the full power of GitHub’s platform – accelerating real-world results through developer-first technologies,” said Mario Rodriguez, Chief Product Officer, GitHub.

This is not an endpoint but a milestone, a catalyst for even deeper connectivity, tighter security, and higher developer leverage going forward.

Looking Ahead

Integrating JFrog and GitHub is no longer a “nice to have” in today’s threat environment; it’s essential. By uniting code and binary domains under a common, secure pipeline, teams can deliver faster, with more confidence, transparency, and operational safety.

If you’re interested in exploring this integration further:

  • Take a tour of the JFrog Platform to explore the GitHub integration
  • Trial JFrog and set up a GitHub integration, walk through the integration flow, and experiment with the unification of source code and binary platforms
  • Schedule a demo with JFrog, and we can give you a deeper dive on some of the more advanced features of the integration

We’re excited for where the partnership is headed: deeper AI-enabled automation, tighter integration points, and stronger resilience across your entire software supply chain.

Let’s continue pushing the envelope on what secure, agile software delivery can be. Whether you’re a startup or a Fortune 100 enterprise, JFrog and GitHub are here to help you build fast, release often, and stay secure.

Popular Tags