Streamlining Secure, Intelligent Development: The Power of GitHub and JFrog Together
Today’s Hurdles to Efficient Software Development
Picture this: You’ve just settled in at home after a long day, ready to relax, when suddenly your phone buzzes. It’s a notification about a failed build in your latest project. Your heart sinks. Your mind starts racing to connect the dots… What went wrong? Where is it broken? There’s usually no one immediately available to answer these questions, and you know it will require a large manual effort to get to the bottom of the issue.
It requires digging into the error message, looking at the build job summary, checking the configurations, debugging the tests, and delving into the build context. You need to understand where the offending dependency came from, its version, and whether there’s a newer non-vulnerable version. All of this investigation involves mental and physical context switching, which takes a great deal of effort and time.
The Typical Software Build Process
To understand why this is a regrettably common scenario, let’s take a step back and look at the typical software build process. You start in an IDE, write code, commit to GitHub, push it to a repository like JFrog Artifactory, and then run builds through your CI/CD pipelines. Along this journey, there are many points where having greater control and visibility of source code and binaries would drastically speed development. Unfortunately, this is often hindered by obstacles such as:
- Siloed toolchains and processes that cause friction, hinder collaboration, and disrupt workflow continuity
- Manual processes that increase the risk of human error and limit the speed of debugging
- Limited visibility into security vulnerabilities across the SDLC and the remediation steps required to fix them
These hurdles put immense strain on developers looking to streamline their workflows and get software out of the door.
The Future of Software Development is Streamlined
I’m thrilled to share that there’s finally a better way: enter the GitHub and JFrog integration. We’ve brought together the two best-of-breed platforms, joining JFrog’s artifact management and security scanning capabilities with GitHub’s version control and collaborative features to streamline workflows, enhance DevSecOps practices, and boost operational efficiency.
The integration includes intuitive navigation and traceability between source code and binaries, CI/CD with GitHub Actions and JFrog Artifactory, and a unified view of security findings across the software supply chain. Our shared goal is to provide full control and visibility across the entire software supply chain to make developers’ lives easier and more streamlined.
This powerful combination brings several key improvements to the development workflow:
1. New Job Summary Page on GitHub
The integration introduces a new Job Summary page on GitHub, showcasing the results of your build and the outcomes of security scans. This provides an at-a-glance view of your project’s health and security status.
JFrog Job Summary page on GitHub
2. OIDC Integration
The OpenID Connect (OIDC) integration establishes a trusted relationship between GitHub and the JFrog Platform. This automates token management for identity verification and provides developers with seamless access to JFrog resources from GitHub Actions without the need for manual token creation, thereby enhancing security. It also enhances security by auto-generating fine-grained, short-lived tokens upon identity.
It further improves the developer experience by eliminating the need to manually handle and manage tokens. It also provides customers with user traceability by detailing the identification of the users performing actions in the JFrog Platform based on their GitHub personal identity.
3. Unified Security Findings in GitHub
One of the most powerful features of this integration is the ability to view security scan results in the GitHub Advanced Security dashboard under the Code Scanning section. The JFrog CLI takes the scan results from JFrog and publishes them into the GitHub security center within the specific repository. This streamlines the developer workflow by eliminating the need for developers to context switch from tool to tool. This security analysis from JFrog published in GitHub Actions includes:
- Software Composition Analysis (SCA)
- Contextual Analysis (determines CVE applicability)
- Secrets Detection (in both source code and binaries)
- Static Application Security Testing (SAST)
- Infrastructure as Code (IaC) security checks
This security information is at the fingertips of the developer and speeds up the security analysis and remediation process, ultimately expediting the creation of trusted builds.
JFrog scan results in GitHub security center
By consolidating these security findings into GitHub, developers can address potential vulnerabilities earlier in the development cycle, saving time and reducing risk. Further, having JFrog Advanced Security – powered by advanced security research from JFrog’s dedicated Research Team – in the GitHub workflow experience saves developers even more time by showing them whether or not a CVE applies to the application.
4. Copilot Extensions Integration
Our Copilot extension takes GitHub’s AI-powered coding assistant to the next level, particularly for tasks involving binaries, dependencies, and security. This extension understands your organization’s context, allowing you to ask questions like “Am I affected by CVE-123-1231?” or “Can I use package X in version Y?” It also provides insights aligned with your organizational policies, helping developers make informed decisions quickly about package types, curation, licensing and more.
By combining Copilot’s code generation capabilities with JFrog’s deep understanding of your artifact ecosystem, this extension becomes an invaluable AI-powered assistant for your development process.
Streamline Your Development
The GitHub and JFrog integration extends your visibility and control over the entire development process, helping you gain trust and efficiency in every step. By providing enhanced traceability, automated security checks, and AI-powered insights through the Copilot extension, this integration empowers developers to focus on what they do best: create amazing software.
Experience the integration yourself and take the integration Product Tour.