JFrog Curation blocks malicious open source software packages

DevSecOps system validates incoming software packages against JFrog’s security research library to establish a repository of trustworthy components for software developers to use.

shutterstock 1127162939 traffic light  red yellow green code 1200x800
Titima Ongkantong / Shutterstock

JFrog has unveiled JFrog Curation, a devsecops system designed to prevent malicious or risky open source or third-party software packages from entering an organization’s software development pipeline.

JFrog Curation blocks the use of risky open source software packages without compromising development speed or the developer experience, JFrog said. It uses binary metadata for identifying malicious packages with higher-severity CVEs (Critical Vulnerabilities and Exposures), operational, or license compliance issues. This removes the need to download each package for scanning before use, thus preserving developer ease and speed, JFrog said.

JFrog Curation validates incoming software packages against JFrog’s security research library of recorded CVEs and publicly available information to establish a repository of pre-approved, third-party software components for development use. It provides central visibility and governance of every open source package requested by a developer or build tool and creates an audit trail to comply with regulatory requirements, JFrog said.

Copyright © 2023 IDG Communications, Inc.

InfoWorld Technology of the Year Awards 2023. Now open for entries!