Integrations / GitHub Artifact Attestations

GitHub Artifact Attestations

JFrog and GitHub have deepened their partnership by seamlessly bringing together the context of source code and binaries, helping organizations establish software supply chain governance.
Start Free Book a Demo

GitHub Evidence Integration Features

GitHub

GitHub 2025 Technology Partner of the Year

We’re proud to announce that JFrog has been honored as GitHub’s 2025 Technology Partner of the Year. This recognition underscores the strength of our vision: enabling developers to move fast and securely. This award is a validation that our integration is both strategic & impactful.

An Integrated Connection Between Code and Binaries

GitHub Artifact Attestations and build provenance are seamlessly collected as critical pieces of SDLC evidence into JFrog Evidence Collection, the single source of proof for the entire SDLC.

Build Provenance with the Context of Production Binaries

In JFrog, GitHub build provenance is attached to the relevant binary all the way into production. This establishes a continuous chain of evidence that unlocks the context of production binaries, streamlining issue resolution. 

Permanent Retention of Build Attestations

GitHub Artifact Attestations are stored permanently in JFrog, ensuring its availability as key drivers for policies and compliance.

Support for All GitHub Attestations

JFrog’s Evidence Collection integrates all GitHub attestations, which includes provenance, SBOM, and generic.

 

Documentation
Availability
Learn More
  • Enterprise+
Related Product
  • JFrog Platform
  • JFrog AppTrust
  • JFrog Evidence Collection
Related Integration
GitHub Integration
Docker Registry
ServiceNow
Sonar

Frequently Asked Questions

What is the main purpose of the GitHub and JFrog evidence integration?

This integration is designed to seamlessly collect and store GitHub Artifact Attestations and build provenance as critical evidence within JFrog’s Evidence Collection. This creates a single source of truth for the entire software development lifecycle (SDLC), connecting code-level proof with the actual production binaries.

How does JFrog use build provenance from GitHub?

JFrog attaches the GitHub build provenance directly to the corresponding binary throughout its entire lifecycle, all the way into production. This creates a continuous chain of evidence, providing a clear context for production binaries and making it easier to resolve issues and understand their origin.

Are the attestations from GitHub permanently stored?

GitHub Artifact Attestations are stored permanently in JFrog. This ensures they are always available as a key resource for enforcing policies, maintaining compliance, and providing an immutable record of the build process.

What is an attestation in this context?

An attestation is a verifiable, cryptographically signed statement about a software artifact. In this integration, it refers to the verifiable evidence generated by GitHub (known as GitHub Artifact Attestations) that provides a secure, tamper-proof record of what happened during the build process.

What are the other integrations between GitHub and JFrog?

Visit https://jfrog.com/jfrog-and-github/ for the latest information.

About GitHub

GitHub empowers developers and organizations to build, scale, and deliver secure software. As the world's largest developer platform, GitHub fosters a global community where millions of people and businesses collaborate, innovate, and drive code to its full potential.
Learn More