swampUP 2025 Recap: The Quantum Shift in Software Delivery Requires a Unified Approach

And that's a wrap! Held in beautiful Napa Valley, swampUP 2025, JFrog's annual customer conference brought together developers, operations, security, compliance, and AI/ML leaders - all facing the same burning challenges posed by the AI-driven quantum shift in software delivery. In the keynotes, breakout sessions, and side-conversations over wine and coffee, a common theme was made clear: a unified Software Supply Chain platform is essential to thrive in the new reality.

At the event, we launched six industry-leading innovations that cement JFrog as the unified platform and system of record for the software supply chain. Keep reading for a recap of key insights from the event keynotes, plus an in-depth overview of the six new releases.

The Quantum Shift is Reshaping Software Delivery

JFrog Founder & CEO Shlomi Ben Haim opened swampUP 2025, where he proclaimed: "AI is driving a quantum shift in software delivery."

Today's world is now agentic and moving at what feels like warp speed. At Microsoft and Google, 30% of their software code is now generated by AI. Software release velocity has scaled significantly, all in a tangled web of unmanageable dependencies. Add in the increasing number of security incidents that are happening - even during the event itself - and it's easy to see why software releases in the age of AI feel beyond human control.

To thrive in this new agentic world, we need a quantum shift in how we approach software delivery, underpinned by three key tenants:

1. A unified platform that acts as the system of record for the software supply chain is the foundation for teams to manage and control anything entering their software, including AI models.
2. A connected ecosystem of foundational platforms is needed to deliver fully integrated workflows to development teams.
3. DevGovOps (integrating and automating GRC) will emerge as a key practice to help teams launch secure, trusted, and compliant software applications.

The JFrog Platform: The Foundational System of Record for the Today's Software Supply Chain

In the era of the quantum shift, there are new unknowns posed by bringing AI into software development, increased security threats, and the demands of an evolving regulatory landscape. We need to anticipate what the future holds to maintain control of our software factories.

The JFrog Platform is the market-leading single source of truth for the software supply chain, underpinning software delivery at the world's largest software development organizations. At swampUP 2025, we unveiled how customers can navigate the AI-driven quantum shift with the JFrog Platform, by announcing six groundbreaking new products:

Foundational Platforms Must Collaborate for Integrated Workflows

Tackling the quantum shift requires a connected ecosystem, where industry leaders partner to bring fully integrated workflows to development teams. Whether it's accelerating AI/ML development, preventing new software supply chain attacks, or driving governance of applications through DevGovOps, it takes foundational platforms working together to address these challenges.

On the keynote stage, JFrog was joined by industry leaders GitHub, NVIDIA, ServiceNow, and Sonar, highlighting a vision of an integrated ecosystem that aligns customers' strategic solutions:

• NVIDIA: NVIDIA NIMs are integrated into JFrog AI Catalog - the unified AI system of record for development organizations - to ensure a centralized hub for customers for all their AI models and initiatives.
• ServiceNow: The new integration between the ServiceNow ITSM Platform and JFrog AppTrust accelerates change management approval workstreams based on centralized evidence in the JFrog Platform.
• Sonar: Unveiled a new integration that brings code quality and security attestations from SonarQube into JFrog AppTrust, which help fuel the DevGovOps policy engine.
• GitHub:
  • Introduced a new integration to bring GitHub build provenance and other attestations into JFrog AppTrust, which provides the crucial linkage between code and binaries.
  • JFrog's Agentic Remediation works through an enhanced integration between GitHub Copilot and JFrog's suite of security features, bringing an agentic security experience powered by JFrog's best-in-class security scanners and the latest findings from the JFrog Security Research team.

Product Announcements at swampUP 2025

1. Introducing JFrog AppTrust: The Industry's First DevGovOps Solution for Application Risk Governance

AI coding tools are helping development teams ship at breakneck speed, but often at the expense of visibility and trust. Without a way to govern or verify application risk, companies are exposed to the threat of costly security incidents. However, if you manage this risk by overwhelming developers with more compliance tasks, you slow down innovation and create developer friction. In modern software development, it's not about speed or trust; you need both.

To seamlessly instill trust into your applications, we unveiled JFrog AppTrust, the world's first true application risk governance solution for DevGovOps. By storing process evidence alongside the relevant linked artifacts as they travel across the SDLC, only JFrog can deliver visibility into your applications. By controlling the flow of artifacts across the stages of the SDLC through evidence-based policy gates, AppTrust also ensures teams can continually trust every application that is released, and running in production.

Key Capabilities:

• Trust and verifies every software application with automated, evidence-based security controls and contextualized insights
• Automates and streamlines promotion gates to ensure applications meet security, compliance, and quality standards before releases
• Continuously monitors applications for new CVEs post-release
• Automates evidence collection through a growing ecosystem of native evidence integrations, including the ServiceNow ITSM platform, GitHub Artifact Attestations, SonarQube, and more.

2. Introducing JFrog AI Catalog: The Unified AI System of Record

With models changing daily and the lack of established industry standards to manage and secure ML models, enterprise-wide AI adoption is a major challenge. Although businesses are investing heavily in AI, many have resorted to even blocking external downloads of models due to a lack of visibility and trust. It's clear a new, modern approach is necessary to govern ML development.

To allow organizations to curate AI models with a holistic approach, we are pleased to introduce the JFrog AI Catalog, a unified system of record for AI/ML models. This solution allows organizations to govern, secure, and deliver all internal and external ML models from one place. AI Catalog helps index approved ML models, delivering the clarity and velocity required by data science and ML teams to keep up with the pace of development.

Key Capabilities:

• Provides a single system of record for all ML model types across open source, custom models, and externally hosted models, including native integrations with foundational ML platforms such as NVIDIA NIM and HuggingFace
• Governs and controls who can use which models and for what purpose
• Enables developers and data scientists to discover pre-approved models from both internal and external sources to understand which models are most appropriate for a specific use case
• Serves secured models to deployment for inference

3. Announcing the World's First Agentic Repository: JFrog Fly

AI-generated code has swiftly accelerated the rate at which new builds are created, turning what was once a trickle of new versions into a constant flood. This rapid pace has overwhelmed development teams, who are struggling to manually track and manage each release candidate. As a result, it's now extremely difficult for developers to find a specific release version that contains a certain change, leading to release bottlenecks that slow velocity.

Enter agentic software development. Developers, particularly those on small fast-moving teams, are already embracing agent-assisted coding. The next evolution is to enable the agentic release, where the context of new build versions is continually captured and served to development teams in a fully agentic and natural way. We've broken new ground to enable agentic releases with the launch of JFrog Fly, the world's first agentic repository.

Integrating with agentic coding tools and powered with the JFrog Platform, JFrog Fly is pioneering the era of agentic software delivery with a host of new features and automation tailor made for the needs of small teams.

Key Capabilities:

• Streamlines developer productivity with a fully transparent and AI-native agentic development experience, moving software to production faster with more confidence
• Enables zero-configuration setup so developers can transparently stay in the flow
• Manages the tidal wave of AI-generated code and releases with their semantic context, rather than hard-to-track version numbers and release notes
• Integrates with essential tools such as GitHub and Kubernetes to bring trusted DevOps practices to AI-driven workflows

Developers interested in joining the beta waiting list can visit the JFrog Fly webpage.

4. AI-Assisted Curation and Remediation: Enter Agentic Remediation

The acceleration of AI-generated code is met by a proportional increase in vulnerabilities, which based on current levels is projected to exceed 50,000 new CVEs in 2025.

Keeping pace with ever-growing security threats is made possible by our new Agentic Remediation feature, which helps developers automatically find and remediate vulnerabilities on their behalf in their existing workflow. By bringing the power of JFrog's SAST, Catalog, and Curation to GitHub Copilot via JFrog's MCP servers, developers can fix vulnerabilities in a matter of seconds, without ever having to leave their IDE.

Key Capabilities:

• Automatically identifies and remediates security and quality issues as developers code
• Prevents issues from dependencies and packages from entering the software supply chain, and searches for alternative package options
• Drives faster remediation by fitting in seamlessly into developer workflows

5. Reducing the Security Attack Surface: Announcing Developer Extensions Security

In July 2025, a malicious actor highlighted a growing threat to the software supply chain by targeting a VS Code extension for the Amazon Q coding assistant. By injecting a harmful prompt into a seemingly harmless pull request to the open-source repository for the extension, the attacker's pull request was merged, instructing Amazon Q to delete all data it could access on both local machines and in cloud environments where the extension was installed. Although Amazon swiftly detected and removed the compromised extension, this incident highlights the urgent need for security to evolve and protect against sophisticated threats that can now emerge, even when using the latest and most sophisticated developer tools.

To protect organizations from potential threats that exploit third party tools, we launched Developer Extensions Security, which extends JFrog Curation to IDE extensions. JFrog Curation is the ideal solution to act as a security firewall for IDE extensions, all while JFrog Artifactory helps organizations establish a repository of trusted extensions that provide visibility into what's available and used across the organization. This gives developers clarity into what they can bring into their IDE, while keeping them protected against these emerging threats.

Key Capabilities:

• Leverages JFrog Curation as a security gate against malicious and risky IDE extensions, alongside other dangerous packages, by screening them out before they even enter the organization

6. Visibility into What Scanners Can't See: Introducing Transitive Contextual Analysis and Runtime Scope

Transitive Contextual Analysis

90% of vulnerabilities actually come from the transitive dependencies that are pulled in along with the OSS packages downloaded by developers. Since most scanners only scan direct dependencies, organizations are vulnerable to this unaddressed threat.

To provide much-needed visibility and insight into this growing threat, we introduced Transitive Contextual Analysis. We can provide this crucial information to our users, because we're the only DevOps and DevSecOps Platform that is a certified CVE Numbering Authority, with a renowned in-house security research team and database with deep knowledge of application security.

Key Capabilities:

• Finds and remediates the vulnerabilities lurking hidden in transitive dependencies, while prioritizing exploitable threats so you don't waste time on false alarms
• Reduces the attack surface that hackers can exploit

Runtime Scope

Many security tools miss the most important question about a vulnerability: "Is it actually deployed in a live environment?" Without this crucial information, undetected threats lurk in production. As the attack surface and threat landscape evolve in the age of AI, this blind spot leaves companies vulnerable if left unaddressed.

We've alleviated these issues with Runtime Scope, which ensures everything in runtime is automatically scanned for vulnerabilities. With Runtime Scope, runtime artifacts are automatically scanned for the latest threats, closing the riskiest SDLC blind spot. It leverages JFrog's best-in-class scanners to automatically search for the latest threats in production, ensuring you're protected where it matters most.

Key Capabilities:

• Monitors artifacts post-production for signs of tampering or unauthorized changes
• Prioritizes urgent threats that hackers can exploit in production

swampUP Shifts to Berlin This November

Thank you to everyone who joined us this year in Napa! We also want to give a shout out to all our sponsors for their support, and for making swampUP 2025 a huge success.

This year, we're also taking swampUP across the ocean to Berlin. Join us at swampUP Europe on November 12-14 to see what we have in store. Don't miss out!

Missed swampUP, or want to relive the magic from Napa? Join us on October 9th for AppTrust, AI Catalog and more - Live Product Showcase from JFrog. Register for our webinar before it's too late.

If you'd like to learn more, or learn how to get started on any of JFrog's new solutions, you can take an online tour, schedule a 1:1 demo or start a free trial at your convenience.