JFrog Curation Automates Risky Package Detection for Open Source Software

JFrog, the Liquid Software company and creators of the JFrog Software Supply Chain Platform, is launching JFrog Curation, an automated DevSecOps solution that checks and validates open source or third-party software packages to ensure overall security when leveraging these technologies within a software development environment. Designed to boost developer productivity and accelerate time-to-market, JFrog Curation utilizes binary metadata to detect risky packages with higher-severity CVEs, operational, or license compliance issues.

Open source software is used now more than ever before, often saving development teams critical resources that inevitably speed up software development. However, these open source packages pose a significant risk to security, where threat actors await for the opportunity to attack an enterprise from within, according to the company.

“Sometimes as much as 90% of an application can be open source, which is huge,” said Paul Garden, the DevSecOps evangelist at JFrog. “If you think about the 90% of the software that is released by a company written by somebody else, therein lies the risk, because you can potentially be bringing vulnerabilities, malicious code, or malicious packages. There are all kinds of hidden dangers inside these packages.”

In response to this ongoing phenomenon, JFrog Curation automatically detects and validates software packages against JFrog’s Security Research Library of recorded Critical Vulnerabilities Exposures (CVE)—powered by JFrog’s dedicated security research team—as well as against publicly available information. This security research team enables enterprises to generate huge savings, both financially and in time, while ensuring that that organization stays secure and compliant.

Sitting on the boundary of an enterprise and the wealth of open source software available to the public, JFrog Curation filters the packages coming into an organization, eradicating the need to individually scan each package upon its download. In fact, JFrog will not allow any package to be downloaded before it's been checked and validated by Curation. The information regarding pre-approved packages is then stored in the JFrog Catalog, a database designed to inform JFrog Curaiton and a trustable cache of pre-approved third-party software components.

Whether an open source software or component harbors malicious code, susceptible to vulnerabilities, or has not been recently maintained, JFrog filters out these bad packages to prevent it from impacting an enterprise’s development lifecycle.

On top of its robust vulnerability identification is seamless automation, according to the company, bringing a wealth of security information to developers’ fingertips.

“Unless you knew that you had Curation running in the background, you wouldn't actually notice it switched on because it does this checking so quickly and because we have the database in the platform,” explained Garden.

Despite JFrog Curation’s meticulousness, what may be safe today might not be safe tomorrow, according to Garden. That’s why JFrog Curation integrates with several of JFrog’s other security services—including JFrog X-Ray and JFrog Advanced Security—to provide end-to-end software scanning that detects and alerts developers and security to vulnerabilities or malicious code throughout the development lifecycle.

To learn more about JFrog Curation, please visit