Operations | Monitoring | ITSM | DevOps | Cloud

The latest News and Information on Continuous Integration and Development, and related technologies.

Achieving Sovereign AI with the JFrog Platform and NVIDIA Enterprise AI Factory

Sovereign AI ensures control over AI/ML data, models, and infrastructure, which is now essential for enterprises, regulated industries, and national interests. JFrog and NVIDIA have collaborated to deliver a secure, scalable solution for sovereign AI. NVIDIA provides the accelerated computing and AI software while JFrog ensures trusted DevSecOps and MLOps practices across the entire AI lifecycle, from model development and security scanning to deployment at the edge and in air-gapped environments.

DevEx Unpacked 002 - DevRel, Donuts & Distributed Systems with Dan McKinney

Episode 002: In this episode of DevEx Unpacked, Alan Carson sits down with Dan McKinney, one of Cloudsmith’s earliest team members and now Head of Solutions Engineering. Dan reflects on his unique journey from writing docs and filming DevRel videos to leading high-stakes enterprise sales. Discover how Cloudsmith scaled from a two-person start-up to a platform trusted by global enterprises, why software supply chain security is more urgent than ever, and what features make developers and security teams lean in.

OWASP CI/CD Part 6: Insufficient Credential Hygiene

This post, part six of our OWASP CI/CD Top 10 series, looks at some of the common risks associated with Insufficient Credential Hygiene. By better understanding the flaws that affect credential hygiene, we can better understand how even the most sophisticated pipelines were compromised.

DevEx Unpacked 001 - Scaling Secure Software with Alison Sickelka

Episode 001: In this inaugural episode of DevEx Unpacked, host Alan Carson sits down with Alison Sickelka, VP of Product at Cloudsmith, for a deep dive into the evolution of software supply chain security. Alison shares her journey from journalism to product leadership, the unique talent landscape in Belfast, and how Cloudsmith is pioneering secure artifact management. Learn how Cloudsmith's Enterprise Policy Management is shaping compliance strategies, why SBOMs are crucial, and where AI fits in a secure DevOps future.

Multi-Stage Malware Attack on PyPI: Malicious Package Threatens Chimera Sandbox Users

Open-source package repositories like the Python Package Index (PyPI) play a crucial role in software development. However, these platforms are also potential targets for malicious actors attempting to exploit application software vulnerabilities. The JFrog Security Research team regularly monitors open source software repositories using advanced automated tools, in order to detect malicious packages.

CI/CD Observability with OpenTelemetry - A Step by Step Guide

In the fast-paced world of CI/CD, understanding the performance and behaviour of your pipelines is crucial. GitHub Actions has become a popular choice for automating builds and deployments, but anyone who's debugged a flaky workflow or long-running job knows how challenging it can be to get visibility into what's happening under the hood. We usually rely on build logs, timing data, or guesswork when something goes wrong.

Secure Docker Image Pulls from Cloudsmith to Kubernetes using OIDC

Pulling Docker images from private registries for containerised applications presents a security challenge. It requires authentication management, network access, and trust across distributed systems. Credentials must be securely handled and rotated, and image pulls can break due to network restrictions or expired tokens. All of this makes deployment and security harder.

OWASP CI/CD Part 5 - Insufficient PBAC

One of the more overlooked yet critical vulnerabilities highlighted in the OWASP Top 10 for CI/CD Security Risks is Insufficient PBAC (Pipeline-Based Access Controls). Let’s unpack what PBAC is, why it's essential, and how you can leverage modern access control tools like Open Policy Agent (OPA) and Rego to mitigate these risks effectively.

Multiple Malicious Packages Discovered on PyPI, npm, and RubyGems

Evidence of broad and sustained attacks using several npm, Python, and Ruby packages continues to emerge. A series of malicious packages have been added to the npm, PyPI, and RubyGems package repositories. The attacks have been ongoing for some time, with some seeded years ago. Their aims are manifold, including stealing funds from crypto wallets, deleting codebases, and obtaining Telegram messaging data.