Technology
JFrog and GitHub are working together to tightly integrate their source code and binary platforms
GitHub and JFrog announced a partnership on Wednesday that will see deeper integration between the two companies’ platforms, giving developers and their support teams an easier way to manage both their source code and the resulting binaries for both services.
This includes the ability to track code from source to binary packages on both platforms, single sign-on support, and unified project structures including role assignment. Later, there will also be a unified dashboard that provides a single window for viewing the results of source- and binary-targeted security scans from GitHub and JFrog’s respective security tools.
At first, this may seem like an odd fit since both companies are in the DevOps space. But because GitHub focuses on source code and JFrog focuses on binaries, the overlap between them is actually relatively small. It turns out that about half of JFrog’s customers are also GitHub users; As JFrog CEO and co-founder Shlomi Ben Haim and GitHub CEO Thomas Dohmke both told me, the main mission here is to make their lives easier.
“We use Artifactory itself within GitHub,” Dohmke told me (just as JFrog uses GitHub for source code management). “And so it felt natural for us to do more together as we think about how do we secure the software ecosystem, how do we help our enterprise customers like AT&T and Fidelity or Vimeo? How can we help them have an end-to-end lifecycle? And if you remember our very first conversation, before I became CEO, our vision for GitHub is that we are part of a big ecosystem. Copilot Extensions follows the same line: that we need to collaborate with other companies in our ecosystem to provide the best experience for our customers – our developers.”
Similarly, Ben Haim of Jfrog emphasized that his company is all about binaries – and their creation security products around that. “JFrog is the only comprehensive software supply chain platform in the world,” he said. “GitLab is a source code platform, GitHub is a source code platform. Atlassian with BitBucket: same thing. […] Artifactory is your binary repository and serves the organization as the single source of data.”
GitLab may dispute this description, however, as the company offers a fairly comprehensive DevSecOps platform. But what there’s no argument for is that companies today want to consolidate their spend around best-in-class solutions. Today’s businesses must be able to scale, but safely, while moving faster and choosing the best services on the market, according to Ben Haim.
“If you think about where developers live, they live on GitHub and they live on JFrog. […] In short, this collaboration, this marriage, does not need to be explained to our customers, because this is where they are: they are here for the source code, or here for the binaries – and this together story makes their lives easier,” he said.
You can’t say “GitHub” in 2024 and not talk about Copilot, the company’s AI tool. Wednesday’s announcement is no exception, with a deep JFrog/Copilot integration that now extends Copilot Chat to allow developers to ask questions about which software packages (or which version of those packages) to use, how best to secure them, and how they can set up JFrog projects for example.
“Chatting with GitHub’s Copilot to select the right and secure software package based on the extensive metadata stored in JFrog Catalog can be a game-changer,” explains John Nuttall, director of technology at AT&T, one of JFrog and GitHub’s joint customers . “This integration will significantly improve the efficiency of Copilot users across the software supply chain: binary-oriented environments and code environments. This collaboration offers the best of both worlds.”
GitHub’s Dohmke also noted that the plan for GitHub, looking ahead, is to bring more agent-like features to Copilot that work in a security tool like Sentinel (which was one of the first companies to offer a Copilot extension), GitHub and JFrog’s Artifactory to perform a certain action autonomously.
Customers like AT&T, Ben Haim said, want an easier way to switch back and forth between GitHub and JFrog, using the same credentials. They also want traceability that follows the lifecycle of a piece of code, from source code to binary and back. Traditionally, the code and the binary have always been quite separate, but with this integration, a team putting the binary into production can now quickly see what changes were most recently made to the source code, for example, and work with the specific developer responsible for doing so. is responsible. changes to solve a problem.
Safety aspects are also important here. Typically, these customers also use both GitHub and JFrog’s security solutions, but they don’t want to have to monitor two different dashboards. As GitHub’s Dohmke noted, different users may see different dashboards – with developers likely wanting to see their dashboards directly in GitHub, while a security team might prefer to see theirs in Artifactory or elsewhere.
“This integration can simplify software chain security by displaying source-based security findings from GitHub alongside binary security findings from JFrog under GitHub’s Security tab, allowing developers to gain a holistic security view and reduce remediation times to improve the overall security posture. says Mark Carter, CIO and CISO for Vimeo. “Software supply chain security is a top priority for any CISO, and this joint solution from JFrog and GitHub provides critical AI-infused cybersecurity control.”
Looking ahead, the two companies plan to deepen this integration even further. The current solution is intended to address immediate pain points for their customers, Ben Haim said. Later this year, the companies will talk more about the future at JFrog’s swampUP conference in September.
