JFrog and GitHub team up to closely integrate their source code and binary platforms

GitHub and JFrog announced a partnership on Wednesday that will see a deeper integration between the two companies' platforms, giving developers and their support teams an easier way to manage both their source code and the resulting binaries across both services.

Among other things, this includes the ability to trace code from source to binary packages across both platforms, single sign-on support and unified project structures, including role mapping. Later, there will also be a unified dashboard that will provide a single pane of glass for seeing the results of source- and binary-focused security scans from GitHub's and JFrog's respective security tools.

At first, this may seem like an odd match, since both companies play in the DevOps space. But since GitHub focuses on source code and JFrog on binaries, the overlap between them is actually relatively small. As it turns out, about half of JFrog's customers are also GitHub users; as JFrog CEO and co-founder Shlomi Ben Haim and GitHub CEO Thomas Dohmke both told me, the main mission here is to make their lives easier.

"We are using Artifactory ourselves within GitHub," Dohmke told me (just as JFrog uses GitHub for managing its source code). "And so it felt natural for us to do more together as we're thinking about how we can secure the software ecosystem, how we can help our enterprise customers like AT&T and Fidelity or Vimeo. How can we help them to have an end-to end lifecycle? And if you remember our very first conversation, before I became the CEO, our vision for GitHub is that we are part of a large ecosystem. Copilot Extensions is all along those same lines: that we have to partner with other companies in our ecosystem to provide our customers — our developers — the best experience."

Similarly, JFrog's Ben Haim stressed that his company is all about binaries — and creating security products around that. "JFrog is the only comprehensive software supply chain platform in the world," he said. "GitLab is a source-code platform, GitHub is a source-code platform. Atlassian with BitBucket — same thing. [...] Artifactory is your binary repository and serves the organization as the single source of record."

GitLab may argue with that description, though, given that the company offers a rather comprehensive DevSecOps platform. But where there is no argument is that enterprises today are looking to consolidate their spending around best-of-breed solutions. Today's enterprises, Ben Haim said, need to be able to scale, but in a secure way, all while moving increasingly faster and picking the best services in the market.

"When you think about where developers live, they live on GitHub and they live on JFrog. [...] Basically, this collaboration, this marriage, doesn't have to be explained to our customers because this is where they are: they are either here for the source code, or here for the binaries — and this together story makes their lives easier," he said.

You can't say "GitHub" in 2024 and not talk about Copilot, the company's AI tool. Wednesday's announcement is no exception, with a deep JFrog/Copilot integration that now extends Copilot Chat to let developers ask questions about which software packages (or which version of those packages) to use, how to best secure them and how to set up JFrog projects, for example.

"Chatting with GitHub’s Copilot to select the right and secure software package based on the extensive metadata stored in JFrog Catalog can be a game-changer," explained John Nuttall, Director of Technology at AT&T, one of JFrog's and GitHub's joint customers. "This integration will significantly enhance the efficiency of Copilot users across the software supply chain: binary-focused and code environments. This partnership offers the best of both worlds."

GitHub's Dohmke also noted that looking ahead, the plan for GitHub is to bring more agent-like functions to Copilot that work across a security tool like Sentry (which was among the first companies to offer a Copilot extension), GitHub and JFrog's Artifactory to perform a given action autonomously.

Customers like AT&T, Ben Haim told me, want an easier way to move back and forth between GitHub and JFrog, using the same credentials. They also want traceability that tracks a piece of code's lifecycle from source code to binary and back. Traditionally, the code and binary have always been rather disconnected, but with this integration, a team putting the binary in production can now quickly see which changes were last made to the source code, for example, and work with the specific developer responsible for those changes to fix an issue.

The security aspects here are also important. Typically, these customers are also using both GitHub's and JFrog's security solutions, but they do not want to have to check two different dashboards. As GitHub's Dohmke noted, different users may see different dashboards — with the developers likely wanting to see theirs right in GitHub while a security team may prefer to see theirs in Artifactory or elsewhere.

"This integration can simplify software supply chain security by displaying source-based security findings from GitHub alongside binary-based security findings from JFrog under GitHub’s Security tab, allowing developers to gain a holistic security view and shorten remediation times to improve the overall security posture," said Mark Carter, CIO and CISO for Vimeo. "Software supply chain security is top of mind for every CISO, and this joint solution from JFrog and GitHub provides a critical, AI-infused cybersecurity control."

Looking ahead, the two companies plan to deepen this integration even more. The current solution is meant to address immediate pain points for their customers, Ben Haim said. Later this year, the companies will share a bit more about what's next at JFrog's swampUP conference in September.