
How to use the GitHub and JFrog integration for secure, traceable builds from commit to production
Connect commits to artifacts without switching tools.

DevSecOps guides about integrating security into every phase of enterprise software development. Learn how to implement security checks within your continuous integration and continuous deployment (CI/CD) pipelines, use automated tools to detect vulnerabilities early, and ensure compliance. Whether you’re new to DevSecOps or looking to deepen your expertise, we have you covered.
Connect commits to artifacts without switching tools.
Learn how GitHub Artifact Attestations can enhance your build security and help your organization achieve SLSA Level 3. This post breaks down the basics of SLSA, explains the importance of artifact attestations, and provides a step-by-step guide to securing your build process.
When socializing a new security tool, it IS possible to build a bottom-up security culture where engineering has a seat at the table. Let’s explore some effective strategies witnessed by the GitHub technical sales team to make this shift successful.
Developers care about security, but poorly integrated tools and other factors can cause frustration. Here are five best practices to reduce friction.
In a world where software and hardware is ubiquitous, GitHub can help enable secure development for mission-critical embedded systems.
Explore how GitHub Advanced Security can help address several of the OWASP Top 10 vulnerabilities
Discovering passwords in our codebase is probably one of our worst fears. But what if you didn’t need passwords at all, and could deploy to your cloud provider another way? In this post, we explore how you can use OpenID Connect to trust your cloud provider, enabling you to deploy easily, securely and safely, while minimizing the operational overhead associated with secrets (for example, key rotations).
With innersource, it’s important to measure both the amount of innersource activity and the quality of the code being created. Here’s how.
GitHub Actions can automate several common security and compliance tasks, even if your CI/CD pipeline is managed by another tool.
To best apply DevSecOps principles to improve the security of your supply chain, you should ask your developers to declare your dependencies in code; and in turn provide your developers with maintained ‘golden’ artifacts and automated downstream actions so they can focus on code.
Integrating static analysis security testing into the developer workflow is hard. We discuss the challenges and how to overcome them
When developers share the responsibility of security, perform security testing earlier in your development lifecycle, and use Git as a source of truth, you can help your development teams find and remediate security issues faster.
GitHub provides the security capabilities to achieve Level 1 of the OWASP DevSecOps Maturity Model. In this post, we explore the principles of DSOMM Level 1 and how you can implement secret scanning, SCA, SAST and DAST using native tooling on GitHub.
By prioritizing secure development alongside speed, DevSecOps helps you ship safer applications by making security part of your current DevOps pipeline.
Learn how you can streamline your bug reporting and issue reviewing workflows from the CEO and Co-founder of Marker.io, Gary Gapsar.
Build what’s next on GitHub, the place for anyone from anywhere to build anything.
Last chance: Save $700 on your IRL pass to Universe and join us on Oct. 28-29 in San Francisco.