datadog
  • News

Innovation in Action: Highlights from JFrog swampUP 2025

Contact us

From September 8 to 10, we attended swampUP 2025, JFrogʼs annual customer conference held in Napa, California. This event brought together developers, operations teams, security, compliance, and AI/ML leaders.

At the event, six new products were announced, consolidating JFrog as the unified platform and system of record for the software supply chain. Below is a summary of the main news and key insights from the event:

Announcements

The Quantum Shift is Reshaping Software Delivery

JFrogʼs founder and CEO, Shlomi Ben Haim, opened swampUP 2025, proclaiming: “AI is driving a quantum shift in software delivery.

Shlomi Ben Haim, Fundador & CEO de JFrog

Todayʼs world is now autonomous and moves at what seems like warp speed. At Microsoft and Google, 30% of their software code is now generated by AI. The speed of software releases has increased significantly, all in a tangle of uncontrollable dependencies. Adding the growing number of security incidents, itʼs easy to see why software releases in the AI era seem out of human control.

To thrive in this new autonomous world, we need a quantum shift in how we approach software delivery, based on three key principles:

  • A unified platform acting as a system of record for the software supply chain is the foundation for teams to manage and control everything that goes into their software, including AI models.
  • A connected ecosystem of foundational platforms is necessary to deliver fully integrated workflows to development teams.
  • DevGovOps (integrating and automating GRC) will emerge as a key practice to help teams launch secure, reliable, and compliant software applications.

Foundational Platforms Must Collaborate for Integrated Workflows

Addressing the quantum shift requires a connected ecosystem, where industry leaders partner to provide fully integrated workflows to development teams. Whether accelerating AI/ML development, preventing new software supply chain attacks, or driving application governance through DevGovOps, foundational platforms must work together to meet these challenges.

On the keynote stage, JFrog was joined by industry leaders like GitHub, NVIDIA, and Sonar, highlighting a vision of an integrated ecosystem that aligns with customersʼ strategic solutions:

  • NVIDIA: NVIDIA NIMs are integrated into JFrog AI Catalog—the unified AI registry system for development organizations—to ensure a centralized hub for all their AI models and initiatives.
  • Sonar: Presented a new integration that brings SonarQubeʼs quality and security certifications to JFrog AppTrust, powering the DevGovOps policy engine.
  • GitHub: Introduced an integration that brings build provenance from GitHub and other certifications to JFrog AppTrust, providing the crucial link between code and binaries.

JFrogʼs Agentic Remediation works through enhanced integration between GitHub Copilot and JFrogʼs security suite, delivering an autonomous security experience powered by JFrogʼs leading security scanners and the latest findings from the JFrog Security Research team.

Product Innovation

Six innovative products were announced, enabling customers to navigate the AI-driven quantum shift with the JFrog platform:

1- JFrog AppTrust: The Industryʼs First DevGovOps Solution for Application Risk Governance

AI coding tools help teams deliver software at high speed, but often at the cost of visibility and trust. Without a way to govern or verify application risk, companies are exposed to costly security incidents. However, if you manage this risk by overloading developers with compliance tasks, innovation slows and friction is created. In modern software development, itʼs not about speed or trust; you need both.

To instill trust seamlessly, JFrog introduced AppTrust, the first true application risk governance solution for DevGovOps. By storing process evidence alongside relevant linked artifacts as they move through the SDLC, only JFrog can provide complete visibility into your applications. By controlling artifact flow through evidence-based policy gates, AppTrust ensures teams can continuously trust every application released and running in production.

Key capabilities:

  • Trust and verification of every application with automated, context-based security controls. Automates and optimizes promotion processes to ensure applications meet security, compliance, and quality standards before release.
  • Continuous monitoring of new vulnerabilities (CVEs) after release.
  • Automates evidence collection through a growing ecosystem of native integrations, including ServiceNow ITSM, GitHub Artifact Attestations, SonarQube, and more.

2- JFrog AI Catalog: The Unified AI Registry System

With models changing daily and a lack of industry standards for managing and securing ML models, enterprise AI adoption is a major challenge. Although companies are investing heavily in AI, many have even blocked external model downloads due to lack of visibility and trust. Itʼs clear a modern approach is needed to govern ML development.

To enable organizations to comprehensively curate AI models, JFrog introduced AI Catalog, a unified registry system for AI/ML models. This solution allows you to govern, secure, and deliver all internal and external ML models from a single place. AI Catalog helps index approved ML models, providing the clarity and speed needed for data science and ML teams to keep pace with development.

Key capabilities:

  • Provides a single registry system for all types of ML models, including open source, custom, and externally hosted models, with native integrations to platforms like NVIDIA NIM and HuggingFace.
  • Governance and control over who can use which models and for what purpose.
  • Enables developers and data scientists to discover pre-approved internal and external models to choose the most suitable for each use case.
  • Delivers secure, inference-ready models.

3- JFrog Fly: The Worldʼs First Autonomous Repository

AI-generated code has accelerated the creation of new builds, turning what used to be a trickle of new versions into a constant stream. This pace has overwhelmed development teams, who struggle to track and manage each release candidate manually. Now itʼs very difficult to find a specific version containing a particular change, creating bottlenecks that slow delivery speed.

Thus, autonomous software development emerges. Developers, especially in small, fast teams, are already adopting agent-assisted coding. The next evolution is enabling autonomous releases, where the context of new versions is captured and delivered continuously to development teams in a fully autonomous way. This is possible with the launch of JFrog Fly, the worldʼs first autonomous repository.

Key capabilities:

  • Optimizes developer productivity with a transparent, native AI development experience, accelerating delivery with more confidence.
  • Allows zero-configuration setup to maintain developer workflow.
  • Manages the flood of AI-generated code and versions with semantic context, instead of hard-to-follow version numbers and release notes.
  • Integrates with essential tools like GitHub and Kubernetes to apply reliable DevOps practices in AI-driven workflows.

Developers interested in joining the beta waitlist can visit the JFrog Fly page.

4- Agentic Remediation: AI-Assisted Curation and Remediation

The acceleration of AI-generated code is accompanied by a proportional increase in vulnerabilities, projected to exceed 50,000 new CVEs in 2025.

Keeping up with these threats is possible thanks to Agentic Remediation, which helps developers automatically identify and remediate vulnerabilities within their workflow. By bringing the power of JFrog SAST, Catalog, and Curation to GitHub Copilot via JFrogʼs MCP servers, developers can fix vulnerabilities in seconds without leaving their IDE.

Key capabilities:

  • Automatically identifies and fixes security and quality issues as code is written.  
  • Prevents dependency and package issues from entering the supply chain.
  • Accelerates remediation by integrating seamlessly into developer workflows.

5- Developer Extensions Security: Reducing the Security Attack Surface

In July 2025, a malicious actor highlighted the growing threat to the software supply chain by attacking a VS Code extension for Amazon Q. By injecting a malicious prompt into an apparently harmless pull request, the request was accepted, instructing Amazon Q to delete all accessible data on local machines and cloud environments. Although Amazon quickly detected and removed the compromised extension, the incident underscores the urgent need to evolve security.

To protect organizations from threats in third-party tools, JFrog launched Developer Extensions Security, extending JFrog Curation to IDE extensions. This:

  • Filters malicious or risky extensions before they enter the organization.  
  • Establishes a repository of trusted extensions.
  • Provides visibility and protection to developers against emerging threats.

6- Transitive Contextual Analysis & Runtime Scope: Visibility into What Scanners Miss

Transitive Contextual Analysis:

90% of vulnerabilities come from transitive dependencies downloaded along with OSS packages. Most scanners only inspect direct dependencies, leaving organizations exposed.

  • Detects and remediates hidden vulnerabilities in transitive dependencies, prioritizing exploitable threats to avoid false alarms.
  • Reduces the attack surface exploitable by hackers.

Runtime Scope:

Many scanners donʼt consider whether a vulnerability is actually deployed in a live environment. Without this information, undetected threats remain in production.

Key capabilities:

  • Automatically scans running artifacts to detect threats.
  • Prioritizes critical threats that hackers can exploit in production, closing the riskiest blind spot in the SDLC.
  • Uses JFrogʼs best scanners to detect the latest threats in production, ensuring protection where it matters most.

                                                   

Kelly Hartman, Global Channer & Alliances SVP at JFrog

With these announcements, JFrog reaffirms its vision of a connected, secure, and autonomous ecosystem, where innovation and trust go hand in hand. Want to explore or learn how you can apply these new solutions? As JFrog partners, we can advise you according to your needs— connect with us for more information.

Contact Us

Subscribe for more content

Share this post

Facebook-f X-twitter Youtube Linkedin-in

What are ITSM processes? ITIL version 4 recently went from recommending ITSM “processes” to introducing 34 ITSM “practices”. Their reasoning for this updated terminology is that “elements such as culture, technology, information and data management can be considered to get a holistic view of ways of working”. This more comprehensive approach better reflects the realities of modern organizations.

 

Here, we will not concern ourselves with nuanced differences in the use of practice or process terminology. What’s important and true, no matter what framework your team follows, is that modern IT service teams use organizational resources and follow repeatable procedures to deliver consistent and efficient service. In fact, leveraging practice or process is what distinguishes ITSM from IT.

Change management ensures standard procedures are used for efficient and prompt handling of all changes to IT infrastructure, whether it’s rolling out new services, managing existing ones, or resolving problems in the code. Effective change management provides context and transparency to avoid bottlenecks, while minimizing risk. Don’t feel overwhelmed by these and the even longer list of ITIL practices.

Problem management is the process of identifying and managing the causes of incidents on an IT service. Problem management isn’t just about finding and fixing incidents, but identifying and understanding the underlying causes of an incident as well as identifying the best method to eliminate the root causes.

Incident management is the process to respond to an unplanned event or service interruption and restore the service to its operational state. Considering all the software services organizations rely on today, there are more potential failure points than ever, so this process must be ready to quickly respond to and resolve issues.

IT asset management (also known as ITAM) is the process of ensuring an organization’s assets are accounted for, deployed, maintained, upgraded, and disposed of when the time comes. Put simply, it’s making sure that the valuable items, tangible and intangible, in your organization are tracked and being used.

Is the process of creating, sharing, using, and managing the knowledge and information of an organization. It refers to a multidisciplinary approach to achieving organizational objectives by making the best use of knowledge.

Is a repeatable procedure for handling the wide variety of customer service requests, like requests for access to applications, software enhancements, and hardware updates. The service request workstream often involves recurring requests, and benefits greatly from enabling customers with knowledge and automating certain tasks.

It’s simply not enough to have an ITSM solution – you need one that actually accelerates how your teams work.

Atlassian’s ITSM solution unlocks IT at high- velocity by streamlining workflows across development and operations at scale. Meaning what was once many siloed teams with different ways of working, are now integrated and much more collaborative than ever before.

ITSM benefits your IT team, and service management principles can improve your entire organization. ITSM leads to efficiency and productivity gains. A structured approach to service management also brings IT into alignment with business goals, standardizing the delivery of services based on budgets, resources, and results. It reduces costs and risks, and ultimately improves the customer experience.