Blog Home

JFrog and GitHub: Next-Level DevSecOps

Paul Garden

By Paul Garden, JFrog Partner and Industry Solutions

6 min read

Most DevSecOps pipelines have a gap: source code security and binary security are handled in separate silos. This creates blind spots, slows teams down, and increases risk.

At swampUP 2025, we’re unveiling the next evolution of the JFrog and GitHub integration, a deeply integrated DevSecOps experience that unifies best-of-breed code and binary platforms. With JFrog and GitHub working together, source and binary scanning live in the same workflow and dashboard, giving you a true end-to-end security view — without extra tools or context switching.

From the first line of code to runtime, this integration delivers unified security, visibility, AI intelligence, agentic remediation, and compliance across the entire software supply chain.

What’s New in the JFrog and GitHub Integration?

Our latest updates are designed to remove friction, increase automation, scale effortlessly, and keep developers moving fast, while ensuring that security and compliance teams have everything they need. For this new release, we’ve focused on three major themes: automation, unification, and intelligence.

Key Release Highlights:

  • Simplified Setup: One-time, automated, organization-level installation instantly connects GitHub and JFrog resources with secure authentication.
  • Bulk Frogbot Deployment: Install Frogbot across multiple repositories in one step, enabling automated scanning for vulnerabilities, secrets, and license compliance.
  • Unified Security Results: Push JFrog Advanced Security binary scan results directly into GitHub’s Code Security dashboard for a single view of source and binary security vulnerabilities.
  • Holistic SBOMs: Merge GitHub’s source SBOM with JFrog’s binary SBOM inside GitHub Dependency Graph for an accurate, end-to-end software bill of materials.
  • Agentic Coding: GitHub Copilot can now tap into JFrog’s package and security knowledge through JFrog’s MCP server, enabling agentic remediation of code vulnerabilities.
  • Streamline Dependabot Alerts: Bring production dependency intelligence to Dependabot to surface only alerts relevant to your production environment.

Here’s a deeper dive into the highlights:

Seamless Automated Setup Across Repositories With the JFrog App for GitHub

The new JFrog App for GitHub is one of the innovations in this release, which connects your GitHub repositories to the JFrog Platform with organization-wide, automated setup and eliminates the need for manual, repository-by-repository configuration. It automates broad JFrog Frogbot onboarding and adoption across your GitHub repositories.

Using OpenID Connect (OIDC) for secure authentication and authorization, the JFrog App for GitHub automates integration for all repositories in your organization, with no repetitive manual steps.

Automated Source Code and Binary Scanning at Scale

Install JFrog Frogbot across multiple repositories in one step, enabling automated scanning for vulnerabilities, secrets, and license compliance. With Frogbot deployed everywhere in minutes, you can automatically scan:

  • First-party and open-source software (OSS)
  • Secrets and license compliance issues
  • Auto-remediation (opens & adds comments to fixing pull-requests for CVE issues)

Unified Security Visibility

Push JFrog Advanced Security binary scan results directly into GitHub’s Code Security tab (once you’ve installed the JFrog App for GitHub) for a unified view of source and binary security vulnerabilities. Access all source and binary scan results in GitHub’s native dashboard for faster triage and remediation without switching tools.

Holistic SBOMs

Once you’ve installed the JFrog App for GitHub, you can merge GitHub’s source code SBOMs with JFrog’s binary SBOMs inside GitHub Dependency Graph for an accurate, end-to-end software bill of materials. Extend your security visibility with a holistic source and binary derived SBOM that accurately represents your software builds and releases.

AI-Powered, Secure Coding

GitHub Copilot now taps into JFrog’s code scanning and OSS package security knowledge via JFrog’s remote MCP server to ensure AI-generated code is compliant, secure, and deployment-ready in real time. By combining JFrog’s trusted platform with Copilot AI-driven automation, development teams can shift from reactive security practices to proactive, agentic software supply chain security, curating safer packages, remediating CVEs, and coding with confidence.

(click image to expand)

Compliance Through Attestations

Integrate GitHub attestations with JFrog’s artifact management for evidence-backed, policy-driven promotions and deployments. Streamline audits and governance by integrating GitHub attestations into a single source of truth for evidence. JFrog Evidence supports attestations and evidence from JFrog and multiple 3rd party tools.

Benefits for Every Team

The benefits of the enhanced JFrog and GitHub partnership span across multiple teams for maximum value to your organization.

For Developers

  • Stay inside GitHub for the entire workflow
  • Get real-time, package-level security insights while coding
  • Copilot-assisted coding aligned with your security & compliance policies
  • Reduce context switching and speed up delivery

For DevOps & Platform Teams

  • Scale integration across thousands of repos instantly
  • Automate CI/CD and security onboarding with zero manual repo configuration

For Security & Compliance Teams

  • Consolidate vulnerability data from source code and binaries
  • Reduce alert fatigue with prioritization of production-impacting issues
  • Maintain a complete, verifiable SBOM for every release

Feature Highlights

Here’s a snapshot of the feature highlights and the value they provide:

Feature Value
GitHub App – for Automated OIDC connection, Frogbot integration, and repository binary scans) Simple, automated, and scalable integration across GitHub repos/orgs
Unified SBOM in GitHub Dependency Graph Complete transparency into source and binary components
Attestation to Evidence Conversion Simplified audits and policy enforcement
Dependabot Noise Reduction Focus on vulnerabilities that truly matter
Agentic Remediation with JFrog Catalog + Curation and JFrog SAST Integration with Copilot (via JFrog’s MCP Servers) Secure guardrails for code and package choices with AI-assisted remediation

 

The JFrog GitHub App is available now on the GitHub Marketplace. Install it and follow these instructions to connect your GitHub and JFrog instances, and enjoy:

  • Automating the connection of JFrog & GitHub platforms
  • Deploying Frogbot everywhere in minutes
  • Unifying source + binary SBOMs
  • Viewing all vulnerabilities in GitHub’s Code Security dashboard
  • Enabling AI-assisted secure coding with Copilot

This isn’t just another integration — it’s DevSecOps without the manual work. From code to runtime, JFrog and GitHub are making security, compliance, and productivity work better together.

Popular Tags