JFrog adds new DevOps capability for vetting external packages

Software supply chain security provider JFrog has added a new DevSecOps capability, dubbed JFrog Curation, to enable validating open source packages before they enter development.

Integrated with JFrog software supply chain platform, JFrog Curation is designed to vet and block infected open source or third-party software packages and their respective dependencies.

"Tracking open source can be like playing a game of whack-a-mole since what's safe today may not be safe tomorrow because new vulnerabilities are found daily," said IDC analyst Jim Mercer. "The JFrog Curation can help simplify the developer experience by ensuring packages comply with established, regularly updated security policies and are validated against current and relevant vulnerability databases."

The new capability provides centralized control and automated enforcement of security policies on all packages before they're consumed by developers, JFrog said.

Vetting external dependencies for threats and compliance 

The new capability will vet and block open source software components without compromising developer speed or project delivery, according to JFrog.  It will create a "comprehensive and transparent" audit trail to help organizations comply with current and emerging regulatory requirements.

"It should help simplify things for developers and DevOps teams while making it easier for security teams to ensure the development teams are using open source components that are pre-vetted and comply with their defined policies," Mercer said.

JFrog Curation uses binary metadata for the identification of risky packages with higher-severity CVEs, and operational or license compliance issues, eliminating the need to download each package for scanning.

Trying to do this manually without an automated solution like JFrog Curation is a lost cause, Mercer added.

Central visibility to eliminate solutions sprawl

The new capability will allow central visibility and control over open source packages requested by a developer or developer, or build tool with accurate, metadata-based insights.

JFrog Curation will enable DevOps teams "avoid unruly sprawl of various tool suites and integrations, by using a comprehensive solution for consistent, automated processes across development environments," JFrog said.

"There are a lot of organizations that are trying to figure out how to get visibility and control of open source using a variety of tools and approaches," IDC's Mercer said. "Organizations are leaning toward internally curated open source repositories to gain more control, but building and maintaining those repositories can be problematic." JFrog Curation is available to customers at launch as part of the software supply chain platform.