010-68421378
sales@cogitosoft.com
Your location:Home>News Center >Industry News

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration Guide to integrating Git

latest update:2024/07/24 Views:83
How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration Guide to integrating your ...

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

Guide to integrating your GitHub and JFrog platforms, providing a unified experience for managing and securing software projects throughout coding and building phases.

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects.

This integration covers everything from curating open source packages, coding, CI, release management, deployment and production. Including three major improvements to your developer experience.

 

Unified end-to-end JFrog and GitHub experience, from code to package

 

In this blog post we’ll go through the use case flows, including step-by-step instructions to demonstrate the integration.

Let’s get started!

 

Before you start

Here’s what you’ll need:

· JFrog Platform Cloud or Self Hosted

o Create a JFrog Project called CodeNinjas_AI

· GitHub Example Repository

o Fork this example repository so that you have your own copy to experiment with.

1. Authentication and Authorization

To achieve authentication and authorization across both platforms, you’ll need to configure:

· Github Variables

· OAuth

· OIDC

· GitHub Actions

Github Variables

GitHub Variables are used to store your sensitive authentication. Define the following two variables in GitHub, that will point to JFrog. Go to Settings > Secrets and variables > Actions, and add your variables.

· JF_URL – represents the base URL to the JFrog server

· JF_PROJECT – represent the JFrog project key that connects to the GitHub repository

 

 

 

GitHub Actions Secrets and Variables

 

 

OAuth

Configure OAuth to sign in to the JFrog Platform based on GitHub authentication GitHub OAuth.

 

GitHub OAuth Login to the JFrog Platform

OIDC

JFrog’s integration of OIDC with GitHub Actions enables you to establish a trust relationship between your GitHub Actions and the JFrog Platform.

From the JFrog Platform UI, go to the Administration Tab > General > Manage Integrations > New Integration > OpenID Connect 

Configure the OIDC integration, and click Save and Continue.

Configure the Identity Mapping:

· Name: identity mappings name

· Description: preferably should identify the original repository and mapped identity

· Priority: order of priority by which the identity mappings are evaluated

· Claims json: a json file containing any claims to be verified for this mapping to evaluate as true

iss: set to https://token.actions.githubusercontent.com to verify claims were produced by Github

Enterprise: optional claims restriction for the enterprise name the repository belongs to

Repository: your Github repository name

Optional claims: environment, actor, runner_environment, sub, repository_owner, repository_visibility, workflow, and more

o For example,

 

 

· Token scope: Group / User / Admin: scoped token with a specific group/user

· Service: specific/All JFrog services to allow access

· Token Expiration Time: number of minutes for token expiration

 

JFrog Platform – Identity Mapping

 

 

JFrog Platform and GitHub – OIDC Integration

GitHub Actions

Create your Github Action configuration to set up JFrog CLI and run JFrog FrogBot.

Configuring JFrog CLI Setup:

 

Configuring Frogbot:

 

2. Bi-directional Code and Package Linking

Using JFrog CLI in your GitHub build action connects the build to the relevant build-info, packages, and security scans in JFrog. This integration allows you to combine GitHub Actions and JFrog Artifactory.
This example build job yml is configured to automatically trigger after every pull request/push.

 

 

JFrog Job Summary in GitHub

Once the build run is complete, a job summary that includes the build and security information is generated. You can easily navigate to and from the JFrog and GitHub platforms. This allows you to see the Xray security scan data, project build details such as the build diff, environment variables, build json information, and much more. You can also get additional information on your artifacts and security scan by clicking on the project package link, which will navigate you to the JFrog project packages view.

 

JFrog Job Summary, Packages, Vulnerabilities and Build-Info SBOM pointing back to GitHub Job

 

 

3. Unified Security

JFrog Frogbot automatically scans your repositories for potential vulnerabilities, exposed secrets, and malwares in your dependencies. When vulnerabilities are detected, Frogbot not only alerts you, but can also automatically open pull requests with suggested fixes, streamlining the remediation process. These checks can prevent any non-authorized or risky code changes from being merged into your repository.

It also provides detailed reports and dashboards that can help with compliance requirements and give insights into the security posture of your projects.

 

 In this example, we can see that Frogbot detected an Unsafe Hash Algorithm:An unsafe hash algorithm vulnerability occurs when using a known insecure hash algorithm.A hash algorithm accepts arbitrary input and generates a hash value – a fixed-length output that can be used to verify the integrity of data, such as passwords or files.An insecure hash algorithm in an algorithm that an attacker can use to generate the same hash value for different input data within a reasonable amount of time (“ hash collision attack ”).And provided the following remediation so we can easily fix the problem: 
 
 

That’s it!

Now, all that’s left is for you to try it for yourself.

Witness the power of GitHub and JFrog together on June 13.

 

 

 

 

Next:CAS BioFinder Discovery Platform
Prev:Auto layout is coming to Sketch

© Copyright 2000-2023  COGITO SOFTWARE CO.,LTD. All rights reserved