Software Supply Chain State of the Union 2025

Expanding threat landscape jeopardizes software integrity

We combined responses from 1,400 Security and DevOps professionals, analysis from the JFrog Security Research team, and JFrog Platform data to understand the state of software supply chains today. Here’s a preview of the findings:

  • Open-source risk is exploding with MILLIONS of new packages
  • CVE data issues obfuscate vulnerability severity and applicability
  • Organizations continue to increase the number of security tools used
  • Complete visibility of software provenance eludes many organizations 
  • The AI software supply chain is booming, but so is the risk

By downloading the report you acknowledge the JFrog Privacy Policy

The JFrog State of the Union Report Found

458 New packages

Brought in by the typical organization per year. That’s 38 new packages a month!

25,229 secrets detected

Across Docker Hub, npm, and PyPI. You won’t guess how many were still active.

7+ security tools

Are used by over 70% of orgs. Nearly half are using 10+.