Seamlessly Curate
Software Packages Entering Your Organization

Because secure software development should be simple
Request a Trial Book a Demo

What is JFrog Curation?

JFrog Curation defends your software supply chain, enabling early blocking of malicious or risky open-source packages before they even enter. Seamlessly identify harmful, vulnerable, or risky packages, ensuring increased security, compliance, and developer productivity.

Gain control and visibility over third-party package downloads. Drive organizational alignment, improve the developer and DevSecOps experience, and realize cost savings.

Book a Demo

Centralized Visibility
and Control

Track the open-source packages downloaded by your
organization to gain centralized visibility and control.
Prevent harmful packages from getting into your
software development pipelines as part of a holistic
software supply chain platform.

Frictionless Package Consumption
by Developers

Protect against known and unknown threats, allowing only trusted software packages into your software development pipelines. Feel confident your development teams are developing with only pre-approved open-source components.

Automate Curation
of 3rd Party Packages

Automated policies block packages with known vulnerabilities, malicious code, operational risk, or license compliance issues. Select from predefined templates to drive governance over the open-source consumed in your organization.

Catalog of
Open Source Packages

Explore the metadata of the open-source packages you want to use with JFrog Catalog. Discover their version history, security vulnerabilities, OpenSSF score, license data, operational risk, and if they have any dependencies and transitive vulnerabilities. Over 4 million OSS packages have been cataloged for easy reference.

Improved
DevSecOps Experience

Transparency and accountability enable easy auditing of the open-source used by developers. Seamlessly-integrated vetting of software packages before entry into the SDLC, ensure a better developer experience with reduced remediation efforts and lower costs.

Request a Trial Book a Demo

Why Customers Trust JFrog

“Most large companies have multiple sites and it is critical for those companies to manage authentication and permission efficiently across locations. JFrog Enterprise+ will provide us with an ideal setup that will allow us to meet our rigorous requirements from the get go. It's advanced capabilities, like Access Federation, will reduce our overhead by keeping the users, permissions, and and groups in-sync between sites.”
Siva Mandadi
DevOps - Autonomous Driving, Mercedes
“JFrog Enterprise+ increases developer productivity and eliminates frustration. JFrog Distribution is basically a CDN On-Prem that enables us to distribute software to remote locations in a reliable way. Whereas, JFrog Access Federation gives us the ability to share credentials, access and group members across different locations with ease.”
Artem Semenov
Senior Manager for DevOps and Tooling,
Align Technology
"Instead of a 15-month cycle, today we can release virtually on request.”
Martin Eggenberger
Chief Architect,
Monster
“As a long-time DevOps engineer, I know how difficult it can be to keep track of the myriad of package types – legacy and new – that corporations have in their inventory. JFrog has always done a phenomenal job at keeping our team supported, efficient and operational – because if JFrog goes out, we might as well go home. Thankfully, with AWS infrastructure at our backs as well, we know we can develop and deliver with confidence anywhere our business demands today, and in the future.”
Joel Vasallo
Head of Cloud DevOps,
Redbox
“When we had that issue with log4j, it was announced on Friday afternoon and [using JFrog] by Monday at noon
we had all cities rolled out with the patch.”
Hanno Walischewski
Chief System Architect,
Yunex Traffic
“Among the lessons we learned from this compromise is, in general, you should arrange your system so you never build directly from the internet without any intervening scanning tool in place to validate the dependencies you bring into your builds. To this end, we use an instance of JFrog® Artifactory®, not the cloud service, to host our dependencies, which is the only valid source for any software artifacts bound for staging, production, or on-premises releases.”
SolarWinds
"Since moving to Artifactory, our team has been able to cut down our maintenance burden significantly…we’re able to move on
and be a more in depth DevOps organization."
Stefan Krause
Software Engineer,
Workiva
“Over 300,000 users around the world rely on PRTG to monitor vital parts of their different-sized networks. Therefore, it is our obligation to develop and enhance not only our software itself but also the security and release processes around it. JFrog helps us do this in the most efficient manner.”
Konstantin Wolff
Infrastructure Engineer,
Paessler AG
“JFrog Connect, for me, is really a scaling tool so I can deploy edge IoT integrations much quicker and manage them at a larger scale. There’s less manual, one-off intervention when connecting to different customer sites with different VPNs and firewall requirements.”
Ben Fussell
Systems Integration Engineer,
Ndustrial
"We wanted to figure out what can we really use instead of having five, six different applications. Maintaining them. Is there anything we can use as a single solution? And Artifactory came to the rescue. It really turned out to be a one-stop shop for us. It really provided everything that we need."
Keith Kreissl
Principal Developer,
Cars.com
“Most large companies have multiple sites and it is critical for those companies to manage authentication and permission efficiently across locations. JFrog Enterprise+ will provide us with an ideal setup that will allow us to meet our rigorous requirements from the get go. It's advanced capabilities, like Access Federation, will reduce our overhead by keeping the users, permissions, and and groups in-sync between sites.”
Siva Mandadi
DevOps - Autonomous Driving, Mercedes
“JFrog Enterprise+ increases developer productivity and eliminates frustration. JFrog Distribution is basically a CDN On-Prem that enables us to distribute software to remote locations in a reliable way. Whereas, JFrog Access Federation gives us the ability to share credentials, access and group members across different locations with ease.”
Artem Semenov
Senior Manager for DevOps and Tooling,
Align Technology
"Instead of a 15-month cycle, today we can release virtually on request.”
Martin Eggenberger
Chief Architect,
Monster
“As a long-time DevOps engineer, I know how difficult it can be to keep track of the myriad of package types – legacy and new – that corporations have in their inventory. JFrog has always done a phenomenal job at keeping our team supported, efficient and operational – because if JFrog goes out, we might as well go home. Thankfully, with AWS infrastructure at our backs as well, we know we can develop and deliver with confidence anywhere our business demands today, and in the future.”
Joel Vasallo
Head of Cloud DevOps,
Redbox
“When we had that issue with log4j, it was announced on Friday afternoon and [using JFrog] by Monday at noon
we had all cities rolled out with the patch.”
Hanno Walischewski
Chief System Architect,
Yunex Traffic
“Among the lessons we learned from this compromise is, in general, you should arrange your system so you never build directly from the internet without any intervening scanning tool in place to validate the dependencies you bring into your builds. To this end, we use an instance of JFrog® Artifactory®, not the cloud service, to host our dependencies, which is the only valid source for any software artifacts bound for staging, production, or on-premises releases.”
SolarWinds
"Since moving to Artifactory, our team has been able to cut down our maintenance burden significantly…we’re able to move on
and be a more in depth DevOps organization."
Stefan Krause
Software Engineer,
Workiva
“Over 300,000 users around the world rely on PRTG to monitor vital parts of their different-sized networks. Therefore, it is our obligation to develop and enhance not only our software itself but also the security and release processes around it. JFrog helps us do this in the most efficient manner.”
Konstantin Wolff
Infrastructure Engineer,
Paessler AG
“JFrog Connect, for me, is really a scaling tool so I can deploy edge IoT integrations much quicker and manage them at a larger scale. There’s less manual, one-off intervention when connecting to different customer sites with different VPNs and firewall requirements.”
Ben Fussell
Systems Integration Engineer,
Ndustrial
"We wanted to figure out what can we really use instead of having five, six different applications. Maintaining them. Is there anything we can use as a single solution? And Artifactory came to the rescue. It really turned out to be a one-stop shop for us. It really provided everything that we need."
Keith Kreissl
Principal Developer,
Cars.com

Advanced DevOps-Centric Security Designed for the Software Supply Chain

The largest data breach in history was due to a leaked access token. 1 billion records with personally identifiable information were stolen. Don't become the next data breach storyline and make sure you keep your credentials and secrets out of the hands of nefarious actors.

Learn about Advanced Security

Cutting Edge Security Research

Want to See the Impact of All This Research? Discover how JFrog Xray can save your team time by reducing manual remediation and accelerating secure releases.
Calculate Your Security Time Savings

1,000+

Findings Published

1,500+

Malicious Packages Discovered

500+

Zero Day Vulnerabilities Disclosed

20

OSS Security Tools Released

Calculate Your Savings

Additional Resources

Calculator
Security Time Savings Calculator
Estimate Time Savings
Webinar
Learn more about JFrog Curation and see it in action
Watch Now
Blog
Learn more about the new JFrog Curation feature and its benefits
Learn More
Git OSS Scanning Tool
Frogbot - The JFrog Security Git Bot
Learn More
Success Story
Scale Security Cost Effectively - Esports Case Study
Learn More
Solution Sheet
Read more about JFrog Curation
Learn More

Frequently Asked Questions

Yes

Curation checks dependencies before they are cached in Artifactory. Hence, Curation helps with proactive vetting of dependencies entering your organization

Curation reduces time spent on remediation and clears backlog faster by preventing new vulnerabilities from getting in

Security, license compliance, operational and custom conditions

Developer machine: Providing real-time feedback as you add or update dependencies
CI/CD Pipelines: Scanning your code during builds to prevent risky dependencies from being deployed

Manually looking up CVEs is time-consuming and doesn't provide a holistic view. Curation automates this process, integrates it into your workflow, and provides additional context like license information and operational risks. It also helps you understand the impact of vulnerabilities within your specific dependency tree

Yes, JFrog Curation is primarily focused on analyzing and managing open-source software dependencies

Curation works with Artifactory’s remote repositories by analyzing client’s requests and applying the specified policy conditions

Integration within the JFrog Platform provides a unified experience for managing your software supply chain. You get a holistic view of your artifacts and checks, controls based on their associated risks in one place, streamlining governance and security efforts

JFrog Catalog which is Curation's vulnerability databases is regularly updated with the latest information from various security sources to ensure you have the most up-to-date risk assessments

Block and Dry-run

Yes

Yes

Yes

No, Curation and Xray work together to check and control OSS dependencies with slightly different use cases. Xray continuously checks dependencies through the SDLC and Curation checks them before they enter your development environment.

Seamlessly curate software packages today

Request a Trial Book a Demo