IT Brief US - Technology news for CIOs & IT decision-makers
United States

Guides

#
artificial intelligence
#
digital transformation
#
disaster recovery
#
hybrid & remote work
#
internet of things

Search

Stylized illustration digital security shields checkmarks software compliance
#
DevOps
#
Supply Chain
#
Software Development

JFrog unifies compliance with new evidence partners for AppTrust

Today
Author image
By Sean Mitchell, Publisher

JFrog has announced the extension of its system of record solution, integrating new evidence ecosystem partners into JFrog AppTrust, aiming to unify and streamline audit and compliance processes throughout the software delivery lifecycle.

The latest update brings together data and attestations from companies such as GitHub, ServiceNow, Sonar, and others, consolidating previously disparate sources into a single, trusted record. The company reports this integrated approach will help customers capture cryptographically verifiable evidence needed for governance and compliance, particularly as software supply chains grow in complexity amid the rise of artificial intelligence and automation.

Governance and compliance

Organisations delivering software at high velocity face increasing pressure to satisfy both external and internal regulations, as well as ever-expanding security requirements. As AI accelerates the pace of software delivery, leaders in security and governance have highlighted the growing challenges of ensuring transparent, auditable, and reliable processes.

"To enable the agentic AI revolution in software delivery, wherein every agent will require proof before moving forward with any release, organizations need a clear, auditable single source of truth of their software delivery process," said Gal Marder, Chief Strategy Officer, JFrog. "Together with our partners, we're providing a trusted, DevGovOps solution for collecting cryptographically verifiable evidence and applying compliance policies. By verifying these policies across the software supply chain, organizations can confidently deliver trustworthy, compliant, secure applications in the agentic AI era."

JFrog's approach includes evidence collection within its platform, aiming to generate a comprehensive audit trail for each stage of the software lifecycle. According to the company, this is intended to make it easier to ensure release readiness, maintain a single source of truth for signed attestation data, and simplify auditing and compliance tracking. Automating these processes is positioned as a way to reduce both complexity and time requirements for compliance teams.

Partner ecosystem

To broaden its evidence collection capabilities, JFrog has formed partnerships with a range of software vendors. The company's evidence ecosystem is designed to integrate process data from these disparate sources, providing consolidated audit trails for governance, risk, and compliance (GRC) efforts.

The initial group of JFrog's partners and their contributions include:

  • GitHub Actions will provide build attestations, stored alongside software packages for indefinite policy verification and compliance.
  • ServiceNow will contribute signed change requests, approvals, and vulnerability exceptions.
  • SonarQube from Sonar will share signed code quality and security issues, as well as code coverage attestations.
  • Akuity's Kargo platform will deliver deployment attestations, validating promotion gates and deployment environments prior to release.
  • Akto will create evidence of API security testing and compliance validation, including OWASP Top 10 findings.
  • CoGuard will provide configuration security scan results, covering infrastructure as code, application, and operating system standards.
  • Dagger Cloud will offer signed execution attestations for both local and CI workflow runs, including links to execution traces.
  • Gradle's Develocity Provenance Governor platform will supply build metadata, dependency exposures, and performance insights as evidence.
  • NightVision will contribute API discovery and dynamic application security scan results, attached as signed attestations.
  • Shipyard will collect ephemeral environment attestations capturing validations and reproducible end-to-end testing outcomes.
  • Troj.ai will perform automated security red teaming for AI models, attaching signed attestations to assess behavioural testing.

Focus on code quality and security

The collaboration with Sonar has been highlighted by executives as particularly relevant to the challenge of maintaining code quality at the speed of AI development.

"As AI accelerates the pace of software development, developers and their organizations are struggling to ensure the highest levels of code quality and code security," said Tariq Shaukat, CEO of Sonar. "Sonar's partnership with JFrog addresses this challenge by integrating SonarQube's industry-leading code analysis with JFrog Evidence, allowing for validated verification of all code, whether AI-generated or developer-written. By working together, we are enabling organizations to build high-quality, compliant software that fully embraces the speed of AI-driven development."

JFrog states that its centralised solution allows organisations to automate the collection of evidence from multiple tools, teams, and sites, moving away from manual, homegrown processes that are increasingly unsustainable for compliance and risk management purposes.

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Semarchy launches flexible Data Platform with AI & DataOps focus
Checkmarx named leader in Forrester Wave for SAST & AI tools
Checkmarx named leader in IDC MarketScape ASPM 2025 report
Ledger warns of NPM attack thwarted by malware coding errors
Axios-driven phishing soars 241% as attackers bypass defences

Top stories

Nasuni expands global R&D with new innovation centre in Hyderabad
Wavelo unveils solution to unlock legacy telecom data for AI
SentinelOne to acquire Observo AI to boost AI-native security data
TetraLogical launches self-led online courses in digital accessibility
Siemens joins CHERI Alliance to boost cybersecurity in EDA sector