background background

Software Supply Chain
State of the Union 2025

Expanding threat landscape jeopardizes
software integrity
We combined responses from 1,400 Security and DevOps professionals, analysis from the JFrog Security Research team, and JFrog Platform data to understand the state of software supply chains today.
Here’s a preview of the findings:
  • Open-source risk is exploding with MILLIONS of new packages
  • CVE data issues obfuscate vulnerability severity and applicability
  • Organizations continue to increase the number of security tools used
  • Complete visibility of software provenance eludes many organizations
  • The AI software supply chain is booming, but so is the risk

Download the report now
By downloading the report you acknowledge the JFrog Privacy Policy

The JFrog State of the Union Report Found:

0
New Packages
Brought in by the typical organization per year. That’s 38 new packages a month!
Learn More
0
Secrets Detected
Across Docker Hub, npm, and PyPI. You won’t guess how many were still active.
Learn More
0
+
Security Tools
Are used by over 70% of orgs. Nearly half are using 10+.
Learn More

Ecosystem Growth Across the Board

DockerHub continues to be the most contributed-to ecosystem based on JFrog Catalog data examining public registries. While the pace of growth slowed somewhat in 2024 when compared to the explosive growth in 2023, there were still an incredible ~2M new packages added in 2024.
Learn More
2024
2023
2022
2021
src=
src=
src=
src=
src=

Don’t Judge a CVE by Its CVSS

In a review of 183 High and Critical CVEs from the most popular components and technologies among JFrog customers, only 27 CVEs (15%) were found to be highly exploitable, with applicability rate greater than 80%.
Learn More
63.9% 21.3% 14.8%
183
High Profile CVEs
CVEs with Low Applicability
(0% - 20% applicability)
CVEs with Moderate Applicability
(20% - 80% applicability)
CVEs with High Applicability
(80% - 100% applicability)

Still Hungry for More Software Supply Chain
Risks, Trends, and Insights?

Download last year’s report.
Software Supply Chain State of the Union 2023
The Leading Software Components in Use Today to Inform your 2023 Projects
Download 2023’s Report
Software Supply Chain State of the Union 2024
From Innovation to Infiltration: Safeguarding Against the Hidden Dangers in Your Software Ecosystem
Download 2024’s Report