Operations | Monitoring | ITSM | DevOps | Cloud

The latest News and Information on Continuous Integration and Development, and related technologies.

Achieving Sovereign AI with the JFrog Platform and NVIDIA Enterprise AI Factory

Sovereign AI ensures control over AI/ML data, models, and infrastructure, which is now essential for enterprises, regulated industries, and national interests. JFrog and NVIDIA have collaborated to deliver a secure, scalable solution for sovereign AI. NVIDIA provides the accelerated computing and AI software while JFrog ensures trusted DevSecOps and MLOps practices across the entire AI lifecycle, from model development and security scanning to deployment at the edge and in air-gapped environments.

DevEx Unpacked 002 - DevRel, Donuts & Distributed Systems with Dan McKinney

Episode 002: In this episode of DevEx Unpacked, Alan Carson sits down with Dan McKinney, one of Cloudsmith’s earliest team members and now Head of Solutions Engineering. Dan reflects on his unique journey from writing docs and filming DevRel videos to leading high-stakes enterprise sales. Discover how Cloudsmith scaled from a two-person start-up to a platform trusted by global enterprises, why software supply chain security is more urgent than ever, and what features make developers and security teams lean in.

OWASP CI/CD Part 6: Insufficient Credential Hygiene

This post, part six of our OWASP CI/CD Top 10 series, looks at some of the common risks associated with Insufficient Credential Hygiene. By better understanding the flaws that affect credential hygiene, we can better understand how even the most sophisticated pipelines were compromised.

DevEx Unpacked 001 - Scaling Secure Software with Alison Sickelka

Episode 001: In this inaugural episode of DevEx Unpacked, host Alan Carson sits down with Alison Sickelka, VP of Product at Cloudsmith, for a deep dive into the evolution of software supply chain security. Alison shares her journey from journalism to product leadership, the unique talent landscape in Belfast, and how Cloudsmith is pioneering secure artifact management. Learn how Cloudsmith's Enterprise Policy Management is shaping compliance strategies, why SBOMs are crucial, and where AI fits in a secure DevOps future.

Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

Open-source package repositories like the Python Package Index (PyPI) play a crucial role in software development. However, these platforms are also potential targets for malicious actors attempting to exploit application software vulnerabilities. The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages.

CI/CD Observability with OpenTelemetry - A Step by Step Guide

In the fast-paced world of CI/CD, understanding the performance and behaviour of your pipelines is crucial. GitHub Actions has become a popular choice for automating builds and deployments, but anyone who's debugged a flaky workflow or long-running job knows how challenging it can be to get visibility into what's happening under the hood. We usually rely on build logs, timing data, or guesswork when something goes wrong.

Secure Docker Image Pulls from Cloudsmith to Kubernetes using OIDC

Pulling Docker images from private registries for containerised applications presents a security challenge. It requires authentication management, network access, and trust across distributed systems. Credentials must be securely handled and rotated, and image pulls can break due to network restrictions or expired tokens. All of this makes deployment and security harder.

OWASP CI/CD Part 5 - Insufficient PBAC

One of the more overlooked yet critical vulnerabilities highlighted in the OWASP Top 10 for CI/CD Security Risks is Insufficient PBAC (Pipeline-Based Access Controls). Let’s unpack what PBAC is, why it's essential, and how you can leverage modern access control tools like Open Policy Agent (OPA) and Rego to mitigate these risks effectively.

Open Container Initiative (OCI) Support in Cloudsmith

Kubernetes has become the de facto platform for orchestrating containers. Open standards complement Kubernetes by defining best practices for its implementation. These standards are developed by the open-source Kubernetes community (not a single vendor), ensuring vendor neutrality, easier integration with other tools, and overall system efficiency.