Automatic securing of code and packages with JFrog in GitHub Copilot
JFrog and GitHub link a range of tools and functions to secure code, deployment and supply chain – with Copilot and in Actions.
(Image: Travel mania/Shutterstock.com)
The AI coding assistant GitHub Copilot is getting a boost from the security tools of the DevSecOps platform JFrog. Copilot automatically detects vulnerabilities as well as corrupt and non-compliant packages in the code via JFrog's MCP server (Model Context Protocol). If a vulnerability is found, it immediately offers suggestions for corrections. JFrog has also introduced a service for managing AI models and resources in the company as well as an agent-controlled repository for the provision of software as a beta.
Communication from GitHub Copilot to JFrog is via the MCP protocol, which provides resources from JFrog's security agent curation and associated vulnerability catalog. Copilot checks the code for developers in the IDE for CVE vulnerabilities and problems in dependent open source packages that are either insecure or do not comply with the company's compliance rules. The developers receive inline correction suggestions in the context of the code and can retrieve further information on the issues identified. These functions require the JFrog Ultimate or Unified Security products.
The CLC program, from 18 to 20 November 2025 in Mannheim, covers all topics related to platform engineering and developer experience. Tickets and further information on the CLC website.
Together with GitHub, JFrog will also offer repositories to secure the entire lifecycle of a software component beyond delivery. These functions can be integrated into Actions via the Artifactory service following the standard tests.
Videos by heise
AI management in the company
In addition to the tools in cooperation with GitHub, JFrog has published further innovations: the AI Catalogue will be available in future for the management of AI resources within the company. It is used to manage and provide all AI models and resources within the company. It also creates secure connections to external models such as those from OpenAI or Anthropic, Nvidia Nemotron or those on Hugging Face. Developers can access secure and compliant AI resources via the catalog.
Deployment via chat
"No setup. No scripts. Just chat to build and deploy." – This is the slogan of the new agent-supported repository JFrog Fly, which is currently only available as a closed beta. It is designed to span the entire life cycle of software and communicate with other components and repositories, such as GitHub or Claude Code, via MCP.
(who)
