JFrog Extends its System of Record Solution, Empowering Application Delivery Governance with Evidence from World-Leading Companies

Unifying proof from GitHub, ServiceNow, Sonar, and more, JFrog AppTrust delivers a trusted single source of truth for faster, more reliable, compliant software releases

Sunnyvale and Napa Valley, Calif. - swampUP 2025 - September 9, 2025 - JFrog Ltd. ("JFrog") (NASDAQ: FROG), the Liquid Software company and creators of the JFrog Software Supply Chain Platform, today announced its first set of Evidence Ecosystem partners to be included in JFrog AppTrust. Customers can now collectively create a centralized, trusted audit trail with clear attestations across the software development lifecycle, helping increase visibility, eliminate risk, and ensure release readiness, gaining greater confidence in each delivery.

"To enable the agentic AI revolution in software delivery, wherein every agent will require proof before moving forward with any release, organizations need a clear, auditable single source of truth of their software delivery process," said Gal Marder, Chief Strategy Officer, JFrog. "Together with our partners, we're providing a trusted, DevGovOps solution for collecting cryptographically verifiable evidence and applying compliance policies. By verifying these policies across the software supply chain, organizations can confidently deliver trustworthy, compliant, secure applications in the agentic AI era."

CISOs and DevSecOps leaders face immense pressure to meet high standards of formal as well as internal regulations and security requirements amid rapid software delivery demands. In the accelerating world of AI, automation of GRC will become more demanding, placing more complexity on delivery teams. Non-compliance poses risks to the trust of customers in the software being shipped, as well as fines, reputational damage, and legal issues. Relying on homegrown solutions and manual processes for software provenance is unsustainable, easy to challenge and wastes precious developer time. Evidence Collection within the JFrog Platform generates a comprehensive audit trail that helps customers:

• Ensure Release Readiness of Software - Easily capture proof of the process software went through as it matured for release, inclusive of all tests, approvals, environments, and actions taken across the software development lifecycle (SDLC).
• Maintain a Single Source of Truth for cryptographically signed attestation data that is attached to your release artifacts, providing immutability and saving time for teams and auditors by eliminating the need to search across multiple systems.
• Simplify Auditing and Compliance Tracking by capturing evidence throughout each application's lifespan, aiding and accelerating release decisions.
• Automate Evidence Collection across multiple tools, teams, and sites, reducing complexity.

To extend the richness of its evidence collection capabilities, JFrog is partnering with a dozen software leaders to create out-of-the-box evidence integrations, empowering organizations to consolidate SDLC process data into a single source of truth-crucial for GRC efforts in an era of rising security risks and regulatory scrutiny. JFrog's initial group of Evidence Ecosystem partners will collect and share important software attestations such as:

• GitHub Actions build attestations will be converted into JFrog Evidence and remain stored alongside each software package indefinitely for compliance verification and policy enforcement.
• ServiceNow will share its change requests, approvals, and vulnerability exceptions as signed evidence in JFrog AppTrust.
• Sonar's flagship product, SonarQube, will create and share signed code quality and code security issues along with code coverage attestations with JFrog Evidence.
• Akuity will provide signed deployment attestations via their Kargo platform, using existing evidence to validate applications passed promotion gates and deployment environments before release.
• Akto will generate evidence containing security findings across OWASP Top 10 and compliance validation, creating verifiable proof that comprehensive API security testing was completed before release.
• CoGuard will attach signed configuration security scan results to software packages in JFrog, including Infrastructure as Code (IaC), application, and operating system findings as verifiable proof that security standards were met before deployment.
• Dagger will provide signed execution attestations from Dagger Cloud for local and CI workflow runs, creating verifiable proof of build and test processes with direct links to execution traces.
• Gradle will provide signed build attestations from its Develocity Provenance Governor platform as JFrog Evidence, capturing build metadata, dependencies exposure, and performance insights to establish binary chain of custody for high-velocity deployment assurance.
• NightVision will run API discovery from source code and high-speed, authenticated grey-box DAST scans, attaching signed results to images that provide evidence of vulnerabilities, exploit validation with code-level insights, and remediation guidance before release.
• Shipyard will provide signed ephemeral environment attestations capturing agentic and human validations with test outcomes as verifiable proof that reproducible end-to-end testing was completed before release.
• Troj.ai will perform automated security red teaming for AI models stored in JFrog and attach signed results as verifiable proof that comprehensive AI model behavioral testing was completed before deployment.

"As AI accelerates the pace of software development, developers and their organizations are struggling to ensure the highest levels of code quality and code security," said Tariq Shaukat, CEO of Sonar. "Sonar's partnership with JFrog addresses this challenge by integrating SonarQube's industry-leading code analysis with JFrog Evidence, allowing for validated verification of all code, whether AI-generated or developer-written. By working together, we are enabling organizations to build high-quality, compliant software that fully embraces the speed of AI-driven development."

Companies interested in learning more about JFrog Evidence and how it works with JFrog AppTrust should read this blog, visit our product page, or register for the "AppTrust, AI Catalog and more" webinar on October 9 at 9 AM PT. For more information on how to join JFrog's AppTrust evidence partner ecosystem visit https://jfrog.com/about/become-a-partner/.

###

Like this Story? Tweet this: In the agentic AI era, every agent must have verifiable proof before proceeding with a release. @JFrog AppTrust and its evidence ecosystem provides a trusted, auditable, single source of truth for the entire SDLC, ensuring transparency, control, and confidence at every step. Learn more https://bit.ly/45U9Ewr #DevSecOps #security #softwaresupplychain

About JFrog

JFrog Ltd. (Nasdaq: FROG), the creators of the unified DevOps, DevSecOps and MLOps platform, is on a mission to create a world of software delivered without friction from developer to production. Driven by a "Liquid Software" vision, the JFrog Software Supply Chain Platform is a single system of record that powers organizations to build, manage, and distribute software quickly and securely, that is available, traceable, and tamper-proof. Integrated security features also help identify, protect, and remediate against threats and vulnerabilities. JFrog's hybrid, universal, multi-cloud platform is available as both SaaS services across major cloud service providers and self-hosted. Millions of users and 7K+ customers worldwide, including a majority of the Fortune 100, depend on JFrog solutions to securely embrace digital transformation. Learn more at https://www.jfrog.com or follow us on X @JFrog.

Cautionary Note About Forward-Looking Statements

This press release contains "forward-looking" statements, as that term is defined under the U.S. federal securities laws, including, but not limited to, statements regarding our expectations with respect to the anticipated performance of the JFrog AppTrust Evidence Ecosystem, and the ability of JFrog and its partners to successfully collect and share software attestations.

These forward-looking statements are based on our current assumptions, expectations and beliefs and are subject to substantial risks, uncertainties, assumptions and changes in circumstances that may cause JFrog's actual results, performance or achievements to differ materially from those expressed or implied in any forward-looking statement. There are a significant number of factors that could cause actual results, performance or achievements to differ materially from statements made in this press release, including but not limited to risks detailed in our filings with the Securities and Exchange Commission, including in our annual report on Form 10-K for the year ended December 31, 2024, our quarterly reports on Form 10-Q, and other filings and reports that we may file from time to time with the Securities and Exchange Commission. Forward-looking statements represent our beliefs and assumptions only as of the date of this press release. We disclaim any obligation to update forward-looking statements except as required by law.

Media Contact:

Siobhan Lyons, Director, Global Communications, JFrog, [email protected]

Investor Contact:

Jeff Schreiner, VP of Investor Relations, JFrog, j[email protected]