JFrog and GitHub today extended their alliance to provide a unified dashboard that makes it simpler to track and prioritize vulnerabilities from source code to the binaries that are ultimately deployed.
Announced at the JFrog swampUP 2024 conference, the dashboard will make it possible for DevOps teams to bi-directionally navigate from a GitHub Actions Workflows to where, for example, software packages are housed in a JFrog Artifactory repository, including tracking results of security scans, permissions and identities.
That bidirectional integration also extends to software bill of materials (SBOM) packages to make tracking software provenance and dependencies simpler.
In addition, a Job summary page on GitHub provides an at-a-glance view of the health and security status of each project.
Finally, the two companies are providing single-sign-on capabilities enabled by support for the OpenID Connect (OIDC) framework. Previously, switching between development environments required the usage of tokens that could be more easily compromised.
JFrog CTO Yoav Landman said this single pane of glass view of a DevSecOps workflow is the latest in a series of integrations that the two companies plan to simplify project mapping. JFrog and GitHub earlier this year announced a broad alliance that began with integrations with GitHub Copilot, the generative artificial intelligence (AI) framework that is based on large language models (LLMs) developed by OpenAI. JFrog is now also participating in the GitHub Copilot Extensions program enabling developers to use a chat feature to retrieve answers to common coding questions relevant to their JFrog and GitHub environments.
Those integrations are critical because they enable organizations to proactively address compliance requirements that are only going to become more stringent in the months and years ahead, noted Landman. Developers, for example, will be able to eliminate many of these issues as they write code, as opposed to being asked to address issues much later when they have lost the original context for how a vulnerability was created, he added.
It’s not clear to what degree organizations are embracing the best DevSecOps workflows to address this issue. Unfortunately, a recent JFrog survey found only slightly more than half of organizations are using both source code and binary scanning to secure their software supply chains.
However, there will come a day soon when deploying software without scanning for vulnerabilities is likely to be considered a form of negligence, noted Landman.
Hopefully, generative AI tools such as GitHub Copilot should make it easier to discover and remediate vulnerabilities sooner. Addressing those issues should eventually become a part of any quality assurance testing process.
In the meantime, software engineers are being tasked with addressing application security issues before they become a much larger issue for overwhelmed cybersecurity teams that are generally unable to remediate vulnerabilities without the help of an application developer. As such, the better part of valor is to eliminate as many of these issues as possible, long before code ever makes it into a production environment.