In 2024, it feels impossible to attend any conference, summit, or seminar without hearing vendors talking either security or AI, and it was no different at the annual JFrog swampUP user conference in Austin, Texas this September.
Most will recognize JFrog from their widely-used artifact management solution, Artifactory. Artifact management is a Tier 0 or Tier 1 component in most DevOps tooling stacks, and Artifactory has a dedicated following, but the company is making a concerted push to use what they already know – package management – as a springboard to tackle some of the industry’s current areas of big investment.
GitHub Partnership
JFrog has always been one part of the DevOps tooling stack, and – as with most specialized products – there's a constant risk that product growth by one of the major full-stack competitors and consolidation drives by purchasers will begin to eat into market share. GitLab’s package registry, for example, supports the storage of a variety of artifacts, packages, and dependencies.
Seeing GitHub’s CEO Thomas Dohmke on stage at swampUP 2024 was a good sign for both parties. It’s a natural partnership: JFrog brings additional security capabilities that GitHub Advanced Security can’t provide as well as a best-of-breed package management solution, while GitHub provides the core source control platform and the extremely popular GitHub Actions CI/CD components.
Other than simply using GitHub for source control and actions and JFrog for package management and binary scanning, GitHub and JFrog were probably most excited about three key features:
- Linking of GitHub Jobs and Artifactory Information. A huge part of JFrog’s security push is in the software supply chain space: allowing organizations to verifiably manage what dependencies and components are not just in their source code, but also in the binaries running in production. Combined with JFrog Runtime Security (more below), this should allow teams to trace releases from source code to production.
- JFrog Security Results in GitHub Advanced Security. One of the greatest annoyances of security tool sprawl is simply having to look in many places for the results. GitHub has long supported the SARIF format for importing static code analysis scan results from other tools, but a new consolidated dashboard is intended to capture all of the insights provided by JFrog’s binary and runtime security scanning in a single pane of glass.
- Copilot Integration with JFrog Artifactory. Coming soon to private beta, Copilot chat should soon be able to take advantage of insights from JFrog’s artifacts and packages.
JFrog Runtime
Part of JFrog’s security push is the concept of ‘end to end security’ - the idea that there is a consistent, seamless integrity chain from source code to runtime deployment.
JFrog Runtime is designed to extend that into applications actually deployed and running on Kubernetes. Runtime can monitor the integrity of running applications and validate that the images running are the same ones deployed from Artifactory. The operator also provides real-time visibility into vulnerabilities – identifying what running applications have discovered security vulnerabilities that may not have been identified prior to deployment and tying those vulnerabilities back to existing packages and ultimately source code, letting developers remediate the issue faster and more efficiently.
JFrog ML
One core reason that organizations run LLM models locally today is to maintain version control. Models being served by API endpoints can change quickly and often in unpredictable ways, and being able to verify that the model you’re using today is the same model you were using (and tested, and potentially red-teamed) a month ago is often necessary to satisfy compliance or regulatory requirements. Of course since LLM models themselves are simply binary artifacts, this isn’t necessarily difficult to do – but it raises all the same issues as any other kind of artifact storage, like immutability, traceability, and lifecycle management.
The JFrog ML announcement builds on JFrog’s existing artifact management expertise and JFrog’s recent Qwak acquisition, creating an end-to-end AI offering. Customers can not only use Artifactory to manage models and related packages like any other artifact, but the new platform now provides wrap-around capabilities specific to the AI space – model training and inference deployments, version-controlled prompts, and AI-specific data pipelines and monitoring.
Beyond the Summit: Insights from Arctiq
Tool sprawl is one of the greatest challenges that customers face. Entirely aside from procurement difficulties – cost and complexity – every time another tool is added, a gap exists between that tool and whatever it integrates with. Some gaps are larger than others, but like a rock in the shoe they’ll frustrate and aggravate – and sometimes, things fall through those gaps and get lost.
One of the difficulties in mitigating sprawl is understanding where tools align successfully and where you can use a single tool to provide end-to-end visibility within a specific scope. For customers already using Artifactory, JFrog has created an opportunity to reduce sprawl and improve visibility by adding security scanning and software supply chain to platform customers are already supporting and comfortable with.
If you’re concerned about tool sprawl in your environment and interested in how JFrog’s additional service offerings might fit into your existing SDLC tooling stack, or just looking for an independent, industry-informed perspective on reducing risk and cost by modernizing your software development lifecycle, feel free to reach out for a chat!
