JFrog Extends its System of Record Solution, Empowering Application Delivery Governance with Evidence from World-Leading Companies

Unifying proof from GitHub, ServiceNow, Sonar, and more, JFrog AppTrust delivers a trusted single source of truth for faster, more reliable, compliant software releases

JFrog Ltd. (“JFrog”) (NASDAQ: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today announced its first set of Evidence Ecosystem partners to be included in JFrog AppTrust. Customers can now collectively create a centralized, trusted audit trail with clear attestations across the software development lifecycle, helping increase visibility, eliminate risk, and ensure release readiness, gaining greater confidence in each delivery.

“To enable the agentic AI revolution in software delivery, wherein every agent will require proof before moving forward with any release, organizations need a clear, auditable single source of truth of their software delivery process,” said Gal Marder, Chief Strategy Officer, JFrog. “Together with our partners, we’re providing a trusted, DevGovOps solution for collecting cryptographically verifiable evidence and applying compliance policies. By verifying these policies across the software supply chain, organizations can confidently deliver trustworthy, compliant, secure applications in the agentic AI era.”

CISOs and DevSecOps leaders face immense pressure to meet high standards of formal as well as internal regulations and security requirements amid rapid software delivery demands. In the accelerating world of AI, automation of GRC will become more demanding, placing more complexity on delivery teams. Non-compliance poses risks to the trust of customers in the software being shipped, as well as fines, reputational damage, and legal issues. Relying on homegrown solutions and manual processes for software provenance is unsustainable, easy to challenge and wastes precious developer time. Evidence Collection within the JFrog Platform generates a comprehensive audit trail that helps customers:

• Ensure Release Readiness of Software – Easily capture proof of the process software went through as it matured for release, inclusive of all tests, approvals, environments, and actions taken across the software development lifecycle (SDLC).
• Maintain a Single Source of Truth for cryptographically signed attestation data that is attached to your release artifacts, providing immutability and saving time for teams and auditors by eliminating the need to search across multiple systems.
• Simplify Auditing and Compliance Tracking by capturing evidence throughout each application’s lifespan, aiding and accelerating release decisions.
• Automate Evidence Collection across multiple tools, teams, and sites, reducing complexity.

To extend the richness of its evidence collection capabilities, JFrog is partnering with a dozen software leaders to create out-of-the-box evidence integrations, empowering organizations to consolidate SDLC process data into a single source of truth—crucial for GRC efforts in an era of rising security risks and regulatory scrutiny. JFrog’s initial group of Evidence Ecosystem partners will collect and share important software attestations such as:

• GitHub Actions build attestations will be converted into JFrog Evidence and remain stored alongside each software package indefinitely for compliance verification and policy enforcement.
• ServiceNow will share its change requests, approvals, and vulnerability exceptions as signed evidence in JFrog AppTrust.
• Sonar’s flagship product, SonarQube, will create and share signed code quality and code security issues along with code coverage attestations with JFrog Evidence.
• Akuity will provide signed deployment attestations via their Kargo platform, using existing evidence to validate applications passed promotion gates and deployment environments before release.
• Akto will generate evidence containing security findings across OWASP Top 10 and compliance validation, creating verifiable proof that comprehensive API security testing was completed before release.
• CoGuard will attach signed configuration security scan results to software packages in JFrog, including Infrastructure as Code (IaC), application, and operating system findings as verifiable proof that security standards were met before deployment.
• Dagger will provide signed execution attestations from Dagger Cloud for local and CI workflow runs, creating verifiable proof of build and test processes with direct links to execution traces.
• Gradle will provide signed build attestations from its Develocity Provenance Governor platform as JFrog Evidence, capturing build metadata, dependencies exposure, and performance insights to establish binary chain of custody for high-velocity deployment assurance.
• NightVision will run API discovery from source code and high-speed, authenticated grey-box DAST scans, attaching signed results to images that provide evidence of vulnerabilities, exploit validation with code-level insights, and remediation guidance before release.
• Shipyard will provide signed ephemeral environment attestations capturing agentic and human validations with test outcomes as verifiable proof that reproducible end-to-end testing was completed before release.

• ai will perform automated security red teaming for AI models stored in JFrog and attach signed results as verifiable proof that comprehensive AI model behavioural testing was completed before deployment.

“As AI accelerates the pace of software development, developers and their organizations are struggling to ensure the highest levels of code quality and code security,” said Tariq Shaukat, CEO of Sonar. “Sonar’s partnership with JFrog addresses this challenge by integrating SonarQube’s industry-leading code analysis with JFrog Evidence, allowing for validated verification of all code, whether AI-generated or developer-written. By working together, we are enabling organizations to build high-quality, compliant software that fully embraces the speed of AI-driven development.”

Companies interested in learning more about JFrog Evidence and how it works with JFrog AppTrust should read this blog, visit our product page, or register for the “AppTrust, AI Catalog and more” webinar on October 9 at 9 AM PT. For more information on how to join JFrog’s AppTrust evidence partner ecosystem visit https://jfrog.com/about/become-a-partner/.

Also read: Viksit Workforce for a Viksit Bharat

Do Follow: The Mainstream formerly known as CIO News LinkedIn Account | The Mainstream formerly known as CIO News Facebook | The Mainstream formerly known as CIO News Youtube | The Mainstream formerly known as CIO News Twitter |The Mainstream formerly known as CIO News Whatsapp Channel | The Mainstream formerly known as CIO News Instagram

About us:

The Mainstream formerly known as CIO News is a premier platform dedicated to delivering latest news, updates, and insights from the tech industry. With its strong foundation of intellectual property and thought leadership, the platform is well-positioned to stay ahead of the curve and lead conversations about how technology shapes our world. From its early days as CIO News to its rebranding as The Mainstream on November 28, 2024, it has been expanding its global reach, targeting key markets in the Middle East & Africa, ASEAN, the USA, and the UK. The Mainstream is a vision to put technology at the center of every conversation, inspiring professionals and organizations to embrace the future of tech.