Today, we’re introducing a new integration between GitHub and JFrog that connects your source code and your attested binaries in one secure, traceable workflow.
For developers who often find themselves jumping between multiple tools to figure out which commit produced which artifact — or piecing together results from separate security scans for code and binaries — this integration can save time and effort, centralizing everything you need all in one place.
Below, we’ll dig into why the GitHub and JFrog integration is important, how it works, and how you can start using it today.
Modern software delivery is a supply chain. Your source code, build pipelines, and production artifacts are all links in that chain — and every link needs to be secure, traceable, and automated. Likewise, any weak link is a point of ingress for bad actors to gain access to data that should remain private and secure.
But keeping this complete supply chain secure is challenging for developers who have numerous (and continually growing) responsibilities. When we talked to teams shipping at scale, we kept hearing the same pain points:
To address these issues, we worked closely with JFrog’s engineers to design a workflow where the commit that triggers a build is cryptographically linked to the artifact it produces, security scanning happens automatically and in context — providing the vulnerability scan attestations located in JFrog Evidence, and publishing and promoting artifacts, in compliance with an organization’s policies, is just another step in your GitHub Actions workflow, not a separate process.
Our goal: to remove friction, reduce risk, and give developers more time to focus on building features instead of managing handoffs.
The integration we’re announcing today unlocks a seamless experience that lets you:
The integration connects GitHub’s developer platform with JFrog’s software supply chain platform using secure authentication and build metadata.
Here’s the flow:
- name: Attest docker image
uses: actions/attest-build-provenance@v2
with:
subject-name: oci://${{ env.JF_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}Here’s an example of a workflow that you can use to generate the attestation and push it to Artifactory:
name: Build, Test & Attest
on:
push:
branches:
- main
env:
OIDC_PROVIDER_NAME: [...]
JF_URL: ${{ vars.JF_URL }}
JF_REGISTRY: ${{ vars.JF_REGISTRY }}
JF_DOCKER_REPO: [...]
IMAGE_NAME: [...]
BUILD_NAME: [...]
jobs:
build-test-deploy:
runs-on: ubuntu-latest
permissions:
contents: read
packages: write
attestations: write # Required for attestation
id-token: write # Added for OIDC token access
steps:
- name: Checkout code
uses: actions/checkout@v5
- name: Install JFrog CLI
id: setup-jfrog-cli
uses: jfrog/setup-jfrog-cli@v4.5.13
env:
JF_URL: ${{ env.JF_URL }}
with:
version: 2.78.8
oidc-provider-name: ${{ env.OIDC_PROVIDER_NAME }}
- name: Docker login
uses: docker/login-action@v3
with:
registry: ${{ env.JF_REGISTRY }}
username: ${{ steps.setup-jfrog-cli.outputs.oidc-user }}
password: ${{ steps.setup-jfrog-cli.outputs.oidc-token }}
- name: Set up Docker Buildx
uses: docker/setup-buildx-action@v3
- name: Build and push Docker image
id: build-and-push
uses: docker/build-push-action@v6
with:
context: .
push: true
tags: ${{ env.JF_REGISTRY }}/${{ env.IMAGE_NAME }}:${{ github.run_number }}
build-args: ${{ env.BUILD_ARGS }}
- name: Attest docker image
uses: actions/attest-build-provenance@v2
with:
subject-name: oci://${{ env.JF_REGISTRY }}/${{ env.IMAGE_NAME }}
subject-digest: ${{ steps.build-and-push.outputs.digest }}
artifact-registry:jfrog-artifactory.With this integration enabled, artifact lifecycle data is automatically pushed from JFrog to GitHub using GitHub’s new artifact metadata API. When an artifact is promoted to production in JFrog Artifactory, JFrog will automatically notify GitHub about the promotion, so that the artifact is picked up with the new Dependabot filter.
To get the most out of using GitHub and Jfrog Artifactory, here are a few best practices:
You can enable the GitHub and JFrog integration today to start building a more secure, automated, and traceable software supply chain.
For more details, check out the JFrog integration guide and the GitHub documentation.
April is a senior developer advocate and DevOps practice lead at GitHub, specializing in application transformation and DevOps ways of working. Her focus is to take customers of a journey from legacy technology, to serverless and containers, where code comes first, while enabling them to take full advantage of DevOps practices.
In April’s spare time she spends time outdoors hiking, skiing or scuba diving. She is also a triathlete competing in Ironman and Half Ironman triathlons.
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Catch up on the GitHub podcast, a show dedicated to the topics, trends, stories and culture in and around the open source developer community on GitHub.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。
