JFrog has unveiled JFrog Curation, a devsecops system designed to prevent malicious or risky open source or third-party software packages from entering an organization’s software development pipeline.
JFrog Curation blocks the use of risky open source software packages without compromising development speed or the developer experience, JFrog said. It uses binary metadata for identifying malicious packages with higher-severity CVEs (Critical Vulnerabilities and Exposures), operational, or license compliance issues. This removes the need to download each package for scanning before use, thus preserving developer ease and speed, JFrog said.
JFrog Curation validates incoming software packages against JFrog’s security research library of recorded CVEs and publicly available information to establish a repository of pre-approved, third-party software components for development use. It provides central visibility and governance of every open source package requested by a developer or build tool and creates an audit trail to comply with regulatory requirements, JFrog said.