I'm super excited to share that at GitHub, we deepened our partnership with JFrog to launch cross-platform build integrity with attestations and production-aware security alert prioritization 🚀 Artifact attestations created in GitHub Actions now seamlessly follow your artifacts into JFrog Evidence. Under the hood, these attestations are Sigstore bundles, meaning they’re self-contained, portable, and cryptographically verifiable, with no runtime dependency on GitHub. This is huge for Sigstore as well: JFrog now natively supports verifying Sigstore bundles as evidence using their CLI. That means you can enforce provenance and integrity checks directly in Artifactory, automate policies for artifact promotion (like requiring SLSA provenance before anything reaches production), and be confident that only trusted, verified releases ship. With this strong link between artifact and source established, production context from JFrog now flows back into GitHub. You can use this context to prioritize security alerts in GitHub Advanced Security, focusing remediation on what’s actually shipping to production and cutting through the noise. I’m genuinely excited about how GitHub and JFrog are coming together to solve attestation, governance, and alert prioritization in a more holistic way. If you want to see it in action, chat about artifact attestations, or need help setting it up, drop me a message! 😊 #slsa #sigstore #supplychainsecurity #devsecops #appsec https://lnkd.in/ddvpTrmx
