JFrog and GitHub Integrate Source Code and Binary Platforms

Wednesday announced a partnership between GitHub and JFrog, resulting in a more robust integration between the two companies’ platforms

This integration will simplify developers and their support teams to manage source code and the resulting binaries across both services.

This includes tracing code from source to binary packages across both platforms, unified project structures with role mapping, and single sign-on support. In the future, a unified dashboard will be available to display the outcomes of source and binary-focused security assessments conducted by the security tools of GitHub and JFrog from a single interface.

This may initially appear to be an unusual pairing, given that both organizations operate in the DevOps industry. However, because GitHub emphasizes source code and JFrog binaries, the degree of overlap between the two is comparatively minor. It turns out that roughly half of JFrog’s clientele are also GitHub users; according to JFrog CEO and co-founder Shlomi Ben Haim and GitHub CEO Thomas Dohmke, the primary objective is to simplify their lives.

Dohmke informed me, “We are utilizing Artifactory internally within GitHub, just as JFrog manages its source code on GitHub.” Therefore, it was organic for us to collaborate further as we contemplate methods to safeguard the software ecosystem and assist our enterprise clients, including AT&T, Fidelity, and Vimeo.

In what ways can we assist them in achieving a complete lifecycle? If you recall, our first conversation before I was appointed CEO was regarding our vision for GitHub as a participant in a vast ecosystem. Copilot Extensions operates under the same principle: “To provide the best experience for our customers—our developers—we must collaborate with other businesses in our ecosystem.”

Ben Haim of Jfrog emphasized that his organization is entirely devoted to binaries and the development of security products based on them. He stated, “JFrog is the world’s only all-encompassing software supply chain platform.” “Both GitLab and GitHub function as source-code platforms.” Atlassian and BitBucket are identical. […] Artifactory functions as the organization’s singular source of record and binary repository.

Nevertheless, GitLab could contest that characterization, considering the comprehensive DevSecOps platform it provides. However, one point beyond dispute is that modern businesses seek to consolidate their expenditure around best-of-breed solutions.

According to Ben Haim, contemporary enterprises must be able to scale securely while accelerating operations and selecting the most optimal services available in the market.

“When one considers the environments in which developers operate, GitHub and JFrog come to mind.” […] “This partnership, this union, essentially, does not require an explanation to our clientele, as they are already on our platform, either seeking the source code or the binaries; this joint narrative simplifies their lives,” he explained.

You can’t say “GitHub” in 2024 and not talk about Copilot, the company’s AI tool. Wednesday’s announcement is no exception, with a deep JFrog/Copilot integration that now extends Copilot Chat to let developers ask questions about which software packages (or which version of those packages) to use, how to secure them best, and how to set up JFrog projects, for example.

“Chatting with GitHub’s Copilot to select the right and secure software package based on the extensive metadata stored in JFrog Catalog can be a game-changer,” explained John Nuttall, Director of Technology at AT&T, one of JFrog’s and GitHub’s joint customers.

“This integration will significantly enhance the efficiency of Copilot users across the software supply chain: binary-focused and code environments. This partnership offers the best of both worlds.”

GitHub’s Dohmke also noted that looking ahead, the plan for GitHub is to bring more agent-like functions to Copilot that work across a security tool like Sentry (which was among the first companies to offer a Copilot extension), GitHub and JFrog’s Artifactory to perform a given action autonomously.

Customers like AT&T, Ben Haim told me, want an easier way to move back and forth between GitHub and JFrog using the same credentials. They also want traceability, which tracks a piece of code’s lifecycle from source code to binary and back.

Traditionally, the code and binary have always been rather disconnected. Still, with this integration, a team putting the binary in production can quickly see which changes were last made to the source code, for example, and work with the specific developer responsible for fixing an issue.

The security aspects here are also important. Typically, these customers also use both GitHub’s and JFrog’s security solutions but do not want to check two different dashboards. As GitHub’s Dohmke noted, different users may see different dashboards — with the developers likely wanting to see theirs right in GitHub. At the same time, a security team may prefer to see theirs in Artifactory or elsewhere.

“This integration can simplify software supply chain security by displaying source-based security findings from GitHub alongside binary-based security findings from JFrog under GitHub’s Security tab, allowing developers to gain a holistic security view and shorten remediation times to improve the overall security posture,” said Mark Carter, CIO and CISO for Vimeo.

“Software supply chain security is top of mind for every CISO, and this joint solution from JFrog and GitHub provides a critical, AI-infused cybersecurity control.”

Looking ahead, the two companies plan to deepen this integration even more. The current solution is meant to address immediate pain points for their customers, Ben Haim said. Later this year, the companies will share more about what’s next at JFrog’s swampUP conference in September.