How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration Guide to integrating Git

How to Connect the JFrog Platform to Your GitHub Environment to Create a Seamless Integration

Guide to integrating your GitHub and JFrog platforms, providing a unified experience for managing and securing software projects throughout coding and building phases.

The latest JFrog collaboration with GitHub enables you to easily combine your favorite solutions for source code and binaries in a seamless integration. This means you now have a unified comprehensive and secure end-to-end experience that supports your software projects.

This integration covers everything from curating open source packages, coding, CI, release management, deployment and production. Including three major improvements to your developer experience.

• Unified Authentication and Authorization – for GitHub workflow actions and for seamless SSO authentication between JFrog and GitHub.
• Bi-directional Code and Package Linking – Code and packages are linked across both platforms.
• Unified Security – JFrog Advanced Security findings are available directly from within the GitHub dashboard, and pull requests checks performed on merges.

Unified end-to-end JFrog and GitHub experience, from code to package

In this blog post we’ll go through the use case flows, including step-by-step instructions to demonstrate the integration.

Let’s get started!

Before you start

Here’s what you’ll need:

· JFrog Platform Cloud or Self Hosted

o Create a JFrog Project called CodeNinjas_AI

· GitHub Example Repository

o Fork this example repository so that you have your own copy to experiment with.

1. Authentication and Authorization

To achieve authentication and authorization across both platforms, you’ll need to configure:

· Github Variables

· OAuth

· OIDC

· GitHub Actions

Github Variables

GitHub Variables are used to store your sensitive authentication. Define the following two variables in GitHub, that will point to JFrog. Go to Settings > Secrets and variables > Actions, and add your variables.

· JF_URL – represents the base URL to the JFrog server

· JF_PROJECT – represent the JFrog project key that connects to the GitHub repository

GitHub Actions Secrets and Variables

OAuth

Configure OAuth to sign in to the JFrog Platform based on GitHub authentication GitHub OAuth.

GitHub OAuth Login to the JFrog Platform

OIDC

JFrog’s integration of OIDC with GitHub Actions enables you to establish a trust relationship between your GitHub Actions and the JFrog Platform.

From the JFrog Platform UI, go to the Administration Tab > General > Manage Integrations > New Integration > OpenID Connect 

Configure the OIDC integration, and click Save and Continue.

Configure the Identity Mapping:

· Name: identity mappings name

· Description: preferably should identify the original repository and mapped identity

· Priority: order of priority by which the identity mappings are evaluated

· Claims json: a json file containing any claims to be verified for this mapping to evaluate as true

o iss: set to https://token.actions.githubusercontent.com to verify claims were produced by Github

o Enterprise: optional claims restriction for the enterprise name the repository belongs to

o Repository: your Github repository name

o Optional claims: environment, actor, runner_environment, sub, repository_owner, repository_visibility, workflow, and more

o For example,

· Token scope: Group / User / Admin: scoped token with a specific group/user

· Service: specific/All JFrog services to allow access

· Token Expiration Time: number of minutes for token expiration

JFrog Platform – Identity Mapping

JFrog Platform and GitHub – OIDC Integration

GitHub Actions

Create your Github Action configuration to set up JFrog CLI and run JFrog FrogBot.

Configuring JFrog CLI Setup:

Configuring Frogbot:

2. Bi-directional Code and Package Linking

Using JFrog CLI in your GitHub build action connects the build to the relevant build-info, packages, and security scans in JFrog. This integration allows you to combine GitHub Actions and JFrog Artifactory.
This example build job yml is configured to automatically trigger after every pull request/push.

JFrog Job Summary in GitHub

Once the build run is complete, a job summary that includes the build and security information is generated. You can easily navigate to and from the JFrog and GitHub platforms. This allows you to see the Xray security scan data, project build details such as the build diff, environment variables, build json information, and much more. You can also get additional information on your artifacts and security scan by clicking on the project package link, which will navigate you to the JFrog project packages view.

JFrog Job Summary, Packages, Vulnerabilities and Build-Info SBOM pointing back to GitHub Job

3. Unified Security

JFrog Frogbot automatically scans your repositories for potential vulnerabilities, exposed secrets, and malwares in your dependencies. When vulnerabilities are detected, Frogbot not only alerts you, but can also automatically open pull requests with suggested fixes, streamlining the remediation process. These checks can prevent any non-authorized or risky code changes from being merged into your repository.

It also provides detailed reports and dashboards that can help with compliance requirements and give insights into the security posture of your projects.