Software Supply Chain Topics
Browse by category or alphabetically, and access in-depth articles on key software supply chain topics—from languages and libraries to package managers, toolchains, and security practices.
Browse by category or alphabetically, and access in-depth articles on key software supply chain topics—from languages and libraries to package managers, toolchains, and security practices.
Access control defines and enforces who can access or modify digital resources to protect data and ensure compliance.
Learn MoreAn agent skills repository is a centralized, versioned store for agent capabilities functioning as a governed artifact system. It...
Learn MoreAn agentic repository is a new type of software repository that uses AI agents to automate and optimize the software delivery process.
Learn MoreAn agentic supply chain is an autonomous, AI-driven ecosystem where intelligent agents move beyond simple automation using goal-oriented...
Learn MoreAn AI gateway is a centralized control plane and data plane layer that mediates interactions between...
Learn MoreAn AIBOM is a standardized record of artificial intelligence...
Learn MoreAPI security mitigates attackers' abuse of an Application Programming Interface to disrupt systems or steal data.
Learn MoreApplication security refers to the measures taken to protect software applications from threats and vulnerabilities.
Learn MoreArtifact Management is the process of organizing and storing software binaries and their metadata to...
Learn MoreApplication Security Testing (AST) identifies, reports, and detects vulnerabilities in software applications throughout the SDLC.
Learn MoreA backdoor attack is a technique used by threat actors to create a hidden entry point into an application or environment.
Learn MoreA tool that allows you to organize your compiled binaries into repositories, just as you organize your source code into repositories.
Learn MoreAs a verb, to compile your source code into an executable binary. As a noun, a version of your application as an executable binary.
Learn MoreCI/CD streamlines and automates the process of integrating, testing, and delivering code changes to applications.
Learn MoreA CI/CD pipeline helps Machine Learning teams achieve rapid and reliable updates of models in production.
Learn MoreCloud native is an approach to building and running software specifically designed to leverage the flexibility, scalability, and...
Learn MoreLearn the 7 essential practices that a DevOps solution must enable to accelerate your path to cloud native development.
Learn MoreA CNAPP is a cloud security platform that provides unified visibility and protection across cloud-native applications, including...
Learn MoreCode signing is a cryptographic process that uses a digital signature to confirm a software artifact’s origin and integrity.
Learn MoreA compiler translates an application written in a higher-level programming language into a lower-level language so it can be executed.
Learn MoreA virtualized operating system environment that includes an application and its dependencies, helping it run anywhere it's deployed.
Learn MoreA container registry is a centralized service used to store, manage, and distribute container images...
Learn MoreContainer runtime security is a component of application security, helping to detect/mitigate issues that impact running containers.
Learn MoreContainer security is the practice of protecting containerized applications across the build, ship, and...
Learn MoreContinuous delivery (CD) is a software development practice that ensures code changes are always in a deployable state.
Learn MoreLike Continuous Delivery, a philosophy that your software updates should be continuously delivered to the target. However, Continuous...
Learn MoreContinuous integration (CI) is a software development practice where developers merge code changes into...
Learn MoreContract testing is a software testing methodology that evaluates interactions between individual software services to ensure they...
Learn MoreCloud environments typically include a large number of diverse workloads running across multiple cloud services, with thousands of human...
Learn MoreCVE is a list of publicly disclosed cybersecurity vulnerabilities that provides a standardized identifier to help organizations track...
Learn MoreThe Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities.
Learn MoreDynamic Application Security Testing is designed to test applications in real-time under operating conditions.
Learn MoreCode, librarties, or tools that your application relies on to operate. May or may not be written by a third party.
Learn MoreDevGovOps is a framework integrating governance and compliance into the DevOps lifecycle to ensure that software delivery remains both...
Learn MoreDevOps is an integrated practice uniting software development and IT operations to deliver business value and application updates more...
Learn MoreDevOps is a managerial and technical approach that unifies software development and operations to...
Learn MoreDevSecOps is the integration of security processes within the software development lifecycle to identify...
Learn MoreDevSecOps tools are automated applications that embed security testing into the development lifecycle to...
Learn MoreDocker is an open-source platform that uses containerization to package applications, ensuring software runs consistently across...
Learn MoreDocker alternatives are containerization tools and platforms that provide functionalities similar to Docker to create, manage, and run...
Learn MoreDocker Hub is a cloud-based registry service that allows developers to store, share, and distribute container images to simplify...
Learn MoreFine-tuning LLMs on narrowly focused datasets enables them to acquire deep domain expertise, significantly improving their accuracy and...
Learn MoreGitOps is an operational framework that manages infrastructure configurations in Git, providing a single...
Learn MoreGRC is a unified strategy integrating governance, risk, and compliance into software operations to protect the organization and fulfill...
Learn MoreHashing is the process of converting input data into a fixed-length string using a mathematical algorithm to verify data integrity and...
Learn MoreA Docker image is a read-only template containing instructions to create a container, packaging an application and its preconfigured...
Learn MoreAn HTTP proxy is a server that sits between web servers and clients to intercept, analyze, and forward network requests to boost...
Learn MoreIdentity and Access Management (IAM) is the practice of ensuring the right users and devices have appropriate access to technology...
Learn MoreInfrastructure as Code (IaC) is the practice of managing and provisioning computing infrastructure, such as virtual machines, networks,...
Learn MoreInsider threats refer to security risks that originate from individuals within an organization, such as current employees, former...
Learn MoreA type of testing that verifies entire parts of an application work when combined with other parts of an application.
Learn MoreA tool that translates source code in a higher-level language into a lower-level language for execution, line-by-line, at runtime....
Learn MoreA Kubernetes registry is a storage system for container images used by Kubernetes clusters to deploy applications. It acts as a central...
Learn MoreLLMOps is a systematic approach to developing, deploying, and operating Large Language Models (LLMs). By bringing consistency to this...
Learn MoreA legal document that defines how a piece of software may be used, and what the implications are for using it. Licenses may define rules...
Learn MoreIn the context of JFrog Artifactory, a particular type of repository that contains code originating on your local machine. Does not...
Learn MoreA Machine Learning (ML) model is a program that has been trained on a dataset using an algorithm. By...
Learn MoreA software supply chain attack occurs when malicious actors insert malware or tampered code into the software development or delivery...
Learn MoreMasquerading is a deceptive technique where a malicious actor or artifact impersonates a trusted entity to bypass security controls and...
Learn MoreAn MCP registry is a centralized service for discovering, versioning, and governing Model Context Protocol (MCP) servers and tools...
Learn MoreA software development architecture that breaks your application up into multiple independent services that interact with one another....
Learn MoreMicroservices security refers to the practices, tools, and strategies used to protect distributed applications built with a...
Learn MoreAn ML Experiment Tracking Tool is a specialized platform designed to log, organize, and analyze...
Learn MoreML model interpretability refers to easily a human being can interpret and understand how the model arrived at its decision or...
Learn MoreMLOps is a set of practices that automates the machine learning lifecycle to bridge the gap between data science and operations and...
Learn MoreThe Model Context Protocol is an open, universal standard for connecting AI models to organizational data sources and tools. It enables...
Learn MoreModel deployment is the step within the machine learning life cycle where a new model moves into a...
Learn MoreA model registry in MLOps (Machine Learning Operations) is a centralized repository that manages the lifecycle of machine learning...
Learn MoreModelOps is a set of practices that businesses can use to derive maximum value from machine learning...
Learn MoreA software development architecture wherein your application is built as a single unit -- front-end, back-end, and database. Until...
Learn MoreNix is a powerful package manager and build system that takes a pure functional approach to software management. Unlike traditional...
Learn Morenpm is the default package manager for JavaScript and TypeScript that automates the process of discovering, installing, managing, and...
Learn MoreNuGet is a commonly-used package manager that simplifies dependency management by enabling developers to easily add, remove, and update...
Learn MoreOperational Risk Management (ORM) refers to the practices and processes for identifying, assessing, and mitigating risks associated with...
Learn MorePackages are bundles of code used to extend the functionality of an application.
Learn MoreThe principle of least privilege is an operating paradigm where every subject in a system, whether a user or application component, can...
Learn MoreA private Cargo registry serves as a centralized, controlled repository for Rust Cargo crate packages, offering enhanced security and...
Learn MoreA Python base image is a Docker or container image that contains a Python interpreter and often common Python packages.
Learn MoreRole-Based Access Control (RBAC) is a method for restricting system access to authorized users. Instead of assigning permissions...
Learn MoreReal-time machine learning is the capability of ML systems to make predictions and adapt to new data instantaneously. This real-time...
Learn MoreRelease management is the structured process of planning, coordinating, and overseeing software deployments.
Learn MoreIn the context of JFrog Artifactory, a repository type that contains only remote code with an original source outside of your local...
Learn MoreA place to organize your source code or artifacts into one cohesive, organized group by application or project. Tools like GitHub are...
Learn MoreStatic Application Security Testing (SAST), is a type of application security testing that scans applications in a static state to...
Learn MoreA Software Bill of Materials (SBOM) is a comprehensive list of all the components used to build and run an application so organizations...
Learn MoreSoftware Composition Analysis (SCA) is the automated process of identifying third-party and open source...
Learn MoreThe software development life cycle, or SDLC, is the set of phases that occur as developers create software. It includes a series of...
Learn MoreSecrets Management, vital in Application Security (AppSec), protects sensitive credentials like API keys and passwords across their...
Learn MoreSecurity Misconfigurations refer to the incorrect or suboptimal configuration of a system component or security control, leading to a...
Learn MoreA semantic release is an automated workflow that strictly adheres to the principles of Semantic...
Learn MoreServerless computing is a cloud execution model where code runs on demand without managing servers or infrastructure. The cloud provider...
Learn MoreA tool that makes it easier to monitor and control the flow of information between the microservices that make up your application. This...
Learn MoreShadow AI is the use of artificial intelligence tools within an organization without official IT...
Learn MoreShift Left is a software development security strategy and practice that integrates security measures as...
Learn MoreThe SLSA Framework (Supply-chain Levels for Software Artifacts) is a security standard from the OpenSSF that secures the build process...
Learn MoreA software artifact repository is a centralized storage system that manages and tracks build outputs and dependencies so teams can...
Learn MoreA software artifact is any tangible or intangible item produced during development and deployment, including source code, binaries, and...
Learn MoreA software attestation is a verifiable, authenticated statement, proven with evidence, that a given piece of software meets predefined...
Learn MoreA software binary is the file resulting from compiling source code that is written in a compiled language. They contain machine code...
Learn MoreSoftware Governance defines the framework for managing and controlling the development, deployment, and...
Learn MoreSoftware provenance is the metadata that records the origin, development, and delivery of software components.
Learn MoreSoftware supply chain security is the practice of protecting the tools, libraries, and processes used to develop code so organizations...
Learn MoreA software vulnerability is a specific flaw or weakness in an application's codebase, architecture, or configuration that can be...
Learn MoreA tool that helps manage your uncompiled source code into repositories. Examples are GitHub or Bitbucket.
Learn MoreThe Secure Software Development Framework (SSDF) is a set of NIST practices that embeds security into the development lifecycle to...
Learn MoreA Secure Software Development Lifecycle (SSDLC) is a disciplined approach to embedding security throughout the software development...
Learn MoreTyposquatting is a cyber attack where malicious actors develop software packages using names that...
Learn MoreAn Ubuntu base image is a lightweight, container-optimized version of the Ubuntu operating system used as the foundational layer for...
Learn MoreA type of test that aims to verify functionality within a very specific, narrow scope, e.g., a specific function or class.
Learn MoreIn the context of JFrog Artifactory, a type of repository that acts as an envelope around the local and remote repositories that make up...
Learn MoreVulnerability Management is the process of discovering, identifying, prioritizing and ultimately remediating vulnerabilities and risk in...
Learn MoreVulnerability scanning is the automated process of checking systems, networks, or applications for known security weaknesses to prevent...
Learn MoreContainer Orchestration is an automated process that manages the lifecycle of containerized applications across a cluster of servers,...
Learn MoreContainerization is an operating system virtualization method that packages code and its dependencies into isolated units to ensure...
Learn MoreHelm is a Kubernetes package manager that bundles application resources into versioned packages called charts to enable consistent...
Learn MoreThe Internet of Things (IoT) is a network of connected devices that collect and...
Learn MoreMulticloud security standardizes application security (AppSec) controls across multiple public clouds. It uses platform-agnostic...
Learn MorePCI DSS is a global security framework mandated by the Payment Card Industry Security...
Learn MoreQ-learning is a model-free reinforcement learning (RL) algorithm that enables agents to determine optimal actions by iteratively...
Learn MoreA data serialization language designed to be human-readable, frequently used for configuration files in DevOps and beyond.
Learn MoreZero-day vulnerability is a software security flaw unknown to the vendor that allows attackers to exploit systems before a fix exists,...
Learn MoreAn agent skills repository is a centralized, versioned store for agent capabilities functioning as a governed artifact system. It...
Learn MoreAn agentic supply chain is an autonomous, AI-driven ecosystem where intelligent agents move beyond simple automation using goal-oriented...
Learn MoreAn AI gateway is a centralized control plane and data plane layer that mediates interactions between...
Learn MoreAn AIBOM is a standardized record of artificial intelligence...
Learn MoreAn MCP registry is a centralized service for discovering, versioning, and governing Model Context Protocol (MCP) servers and tools...
Learn MoreShadow AI is the use of artificial intelligence tools within an organization without official IT...
Learn MoreLearn the 7 essential practices that a DevOps solution must enable to accelerate your path to cloud native development.
Learn MoreA CNAPP is a cloud security platform that provides unified visibility and protection across cloud-native applications, including...
Learn MoreA container registry is a centralized service used to store, manage, and distribute container images...
Learn MoreContainer security is the practice of protecting containerized applications across the build, ship, and...
Learn MoreDocker is an open-source platform that uses containerization to package applications, ensuring software runs consistently across...
Learn MoreDocker Hub is a cloud-based registry service that allows developers to store, share, and distribute container images to simplify...
Learn MoreGitOps is an operational framework that manages infrastructure configurations in Git, providing a single...
Learn MoreA Docker image is a read-only template containing instructions to create a container, packaging an application and its preconfigured...
Learn MoreServerless computing is a cloud execution model where code runs on demand without managing servers or infrastructure. The cloud provider...
Learn MoreAn Ubuntu base image is a lightweight, container-optimized version of the Ubuntu operating system used as the foundational layer for...
Learn MoreContainer Orchestration is an automated process that manages the lifecycle of containerized applications across a cluster of servers,...
Learn MoreContainerization is an operating system virtualization method that packages code and its dependencies into isolated units to ensure...
Learn MoreHelm is a Kubernetes package manager that bundles application resources into versioned packages called charts to enable consistent...
Learn MoreThe Internet of Things (IoT) is a network of connected devices that collect and...
Learn MoreAn agentic repository is a new type of software repository that uses AI agents to automate and optimize the software delivery process.
Learn MoreArtifact Management is the process of organizing and storing software binaries and their metadata to...
Learn MoreCI/CD streamlines and automates the process of integrating, testing, and delivering code changes to applications.
Learn MoreContinuous delivery (CD) is a software development practice that ensures code changes are always in a deployable state.
Learn MoreContinuous integration (CI) is a software development practice where developers merge code changes into...
Learn MoreDevOps is an integrated practice uniting software development and IT operations to deliver business value and application updates more...
Learn MoreDocker alternatives are containerization tools and platforms that provide functionalities similar to Docker to create, manage, and run...
Learn MoreThe Model Context Protocol is an open, universal standard for connecting AI models to organizational data sources and tools. It enables...
Learn MoreModel deployment is the step within the machine learning life cycle where a new model moves into a...
Learn MoreNix is a powerful package manager and build system that takes a pure functional approach to software management. Unlike traditional...
Learn Morenpm is the default package manager for JavaScript and TypeScript that automates the process of discovering, installing, managing, and...
Learn MoreNuGet is a commonly-used package manager that simplifies dependency management by enabling developers to easily add, remove, and update...
Learn MorePackages are bundles of code used to extend the functionality of an application.
Learn MoreA private Cargo registry serves as a centralized, controlled repository for Rust Cargo crate packages, offering enhanced security and...
Learn MoreA Python base image is a Docker or container image that contains a Python interpreter and often common Python packages.
Learn MoreA software artifact repository is a centralized storage system that manages and tracks build outputs and dependencies so teams can...
Learn MoreA software artifact is any tangible or intangible item produced during development and deployment, including source code, binaries, and...
Learn MoreA software binary is the file resulting from compiling source code that is written in a compiled language. They contain machine code...
Learn MoreAccess control defines and enforces who can access or modify digital resources to protect data and ensure compliance.
Learn MoreAPI security mitigates attackers' abuse of an Application Programming Interface to disrupt systems or steal data.
Learn MoreApplication security refers to the measures taken to protect software applications from threats and vulnerabilities.
Learn MoreApplication Security Testing (AST) identifies, reports, and detects vulnerabilities in software applications throughout the SDLC.
Learn MoreA backdoor attack is a technique used by threat actors to create a hidden entry point into an application or environment.
Learn MoreCode signing is a cryptographic process that uses a digital signature to confirm a software artifact’s origin and integrity.
Learn MoreContainer runtime security is a component of application security, helping to detect/mitigate issues that impact running containers.
Learn MoreContainer security is the practice of protecting containerized applications across the build, ship, and...
Learn MoreContract testing is a software testing methodology that evaluates interactions between individual software services to ensure they...
Learn MoreCloud environments typically include a large number of diverse workloads running across multiple cloud services, with thousands of human...
Learn MoreCVE is a list of publicly disclosed cybersecurity vulnerabilities that provides a standardized identifier to help organizations track...
Learn MoreThe Common Vulnerability Scoring System (CVSS) is a standardized framework for rating the severity of security vulnerabilities.
Learn MoreDynamic Application Security Testing is designed to test applications in real-time under operating conditions.
Learn MoreDevSecOps is the integration of security processes within the software development lifecycle to identify...
Learn MoreDevSecOps tools are automated applications that embed security testing into the development lifecycle to...
Learn MoreAn HTTP proxy is a server that sits between web servers and clients to intercept, analyze, and forward network requests to boost...
Learn MoreIdentity and Access Management (IAM) is the practice of ensuring the right users and devices have appropriate access to technology...
Learn MoreInfrastructure as Code (IaC) is the practice of managing and provisioning computing infrastructure, such as virtual machines, networks,...
Learn MoreInsider threats refer to security risks that originate from individuals within an organization, such as current employees, former...
Learn MoreA Kubernetes registry is a storage system for container images used by Kubernetes clusters to deploy applications. It acts as a central...
Learn MoreA legal document that defines how a piece of software may be used, and what the implications are for using it. Licenses may define rules...
Learn MoreA software supply chain attack occurs when malicious actors insert malware or tampered code into the software development or delivery...
Learn MoreMasquerading is a deceptive technique where a malicious actor or artifact impersonates a trusted entity to bypass security controls and...
Learn MoreMicroservices security refers to the practices, tools, and strategies used to protect distributed applications built with a...
Learn MoreOperational Risk Management (ORM) refers to the practices and processes for identifying, assessing, and mitigating risks associated with...
Learn MoreThe principle of least privilege is an operating paradigm where every subject in a system, whether a user or application component, can...
Learn MoreRole-Based Access Control (RBAC) is a method for restricting system access to authorized users. Instead of assigning permissions...
Learn MoreStatic Application Security Testing (SAST), is a type of application security testing that scans applications in a static state to...
Learn MoreSecrets Management, vital in Application Security (AppSec), protects sensitive credentials like API keys and passwords across their...
Learn MoreSecurity Misconfigurations refer to the incorrect or suboptimal configuration of a system component or security control, leading to a...
Learn MoreShift Left is a software development security strategy and practice that integrates security measures as...
Learn MoreA software vulnerability is a specific flaw or weakness in an application's codebase, architecture, or configuration that can be...
Learn MoreA Secure Software Development Lifecycle (SSDLC) is a disciplined approach to embedding security throughout the software development...
Learn MoreTyposquatting is a cyber attack where malicious actors develop software packages using names that...
Learn MoreVulnerability Management is the process of discovering, identifying, prioritizing and ultimately remediating vulnerabilities and risk in...
Learn MoreVulnerability scanning is the automated process of checking systems, networks, or applications for known security weaknesses to prevent...
Learn MoreMulticloud security standardizes application security (AppSec) controls across multiple public clouds. It uses platform-agnostic...
Learn MoreZero-day vulnerability is a software security flaw unknown to the vendor that allows attackers to exploit systems before a fix exists,...
Learn MoreDevGovOps is a framework integrating governance and compliance into the DevOps lifecycle to ensure that software delivery remains both...
Learn MoreGRC is a unified strategy integrating governance, risk, and compliance into software operations to protect the organization and fulfill...
Learn MoreA Software Bill of Materials (SBOM) is a comprehensive list of all the components used to build and run an application so organizations...
Learn MoreThe SLSA Framework (Supply-chain Levels for Software Artifacts) is a security standard from the OpenSSF that secures the build process...
Learn MoreA software attestation is a verifiable, authenticated statement, proven with evidence, that a given piece of software meets predefined...
Learn MoreSoftware Governance defines the framework for managing and controlling the development, deployment, and...
Learn MoreSoftware provenance is the metadata that records the origin, development, and delivery of software components.
Learn MoreThe Secure Software Development Framework (SSDF) is a set of NIST practices that embeds security into the development lifecycle to...
Learn MorePCI DSS is a global security framework mandated by the Payment Card Industry Security...
Learn MoreA CI/CD pipeline helps Machine Learning teams achieve rapid and reliable updates of models in production.
Learn MoreFine-tuning LLMs on narrowly focused datasets enables them to acquire deep domain expertise, significantly improving their accuracy and...
Learn MoreLLMOps is a systematic approach to developing, deploying, and operating Large Language Models (LLMs). By bringing consistency to this...
Learn MoreA Machine Learning (ML) model is a program that has been trained on a dataset using an algorithm. By...
Learn MoreAn ML Experiment Tracking Tool is a specialized platform designed to log, organize, and analyze...
Learn MoreML model interpretability refers to easily a human being can interpret and understand how the model arrived at its decision or...
Learn MoreMLOps is a set of practices that automates the machine learning lifecycle to bridge the gap between data science and operations and...
Learn MoreA model registry in MLOps (Machine Learning Operations) is a centralized repository that manages the lifecycle of machine learning...
Learn MoreModelOps is a set of practices that businesses can use to derive maximum value from machine learning...
Learn MoreReal-time machine learning is the capability of ML systems to make predictions and adapt to new data instantaneously. This real-time...
Learn MoreQ-learning is a model-free reinforcement learning (RL) algorithm that enables agents to determine optimal actions by iteratively...
Learn MoreA compiler translates an application written in a higher-level programming language into a lower-level language so it can be executed.
Learn MoreHashing is the process of converting input data into a fixed-length string using a mathematical algorithm to verify data integrity and...
Learn MoreA type of testing that verifies entire parts of an application work when combined with other parts of an application.
Learn MoreA software development architecture wherein your application is built as a single unit -- front-end, back-end, and database. Until...
Learn MoreRelease management is the structured process of planning, coordinating, and overseeing software deployments.
Learn MoreSoftware Composition Analysis (SCA) is the automated process of identifying third-party and open source...
Learn MoreA semantic release is an automated workflow that strictly adheres to the principles of Semantic...
Learn MoreA tool that helps manage your uncompiled source code into repositories. Examples are GitHub or Bitbucket.
Learn MoreA type of test that aims to verify functionality within a very specific, narrow scope, e.g., a specific function or class.
Learn More