The explosion of AI-generated code is creating a security crisis that traditional manual approaches simply cannot handle. At KubeCon and CloudNativeCon, JFrog’s Global SVP, Rafael Santiago, revealed how organizations can maintain security and governance while developers’ productivity multiplies by as much as 12x thanks to AI coding assistants.
JFrog Artifactory serves as a single source of truth for all binaries in an organization. From application code and libraries to machine learning models. In an era where AI is fundamentally changing how developers work, this comprehensive approach to binary management has become critical for maintaining security without sacrificing productivity.
The binary explosion challenge
The rise of AI coding assistants and what Santiago calls “vibe coding” has created an unprecedented challenge for security teams. Developer productivity is increasing by an estimated 10-12x, which means organizations are generating exponentially more binaries than ever before. These binaries can come from human developers, machines, or hybrid human-machine collaboration.
This explosion exposes organizations to new threats. When developers generate code that relies on internet repositories or uses open-source libraries, manually managing the security becomes impossible. Malicious actors are exploiting this by creating copies of legitimate libraries with subtle improvements that mask crypto miners or credential stealers.
Santiago emphasizes that bad actors have shifted their focus from source code to binaries. Machine learning models themselves are binaries, not source code, making them easier targets for penetration.
Also read: JFrog: How to leap along the AI workflow tightrope
JFrog’s three-layer security approach
JFrog has developed a comprehensive platform that secures binaries at multiple stages of the development lifecycle. Unlike competitors who scan code after it has already entered an organization’s systems, JFrog blocks threats at three distinct layers.
Curation: the firewall layer
JFrog’s curation capability acts as a firewall, blocking malicious or risky libraries before they ever enter an organization’s codebase. This is fundamentally different from other security vendors who fetch code first and scan it later. Organizations can customize policies to block libraries that are less than a certain age (such as one week or one month old) or that come from untrusted sources.
X-Ray: binary analysis
For zero-day vulnerabilities that aren’t caught at the firewall level, JFrog X-Ray provides continuous analysis of binaries within an organization. When a new vulnerability is discovered, X-Ray immediately identifies affected binaries and provides administrators with instructions for remediation.
JAS: contextual security
JFrog Advanced Security (JAS) performs static analysis to determine whether a library’s implementation poses a risk to the organization. A library might have a known vulnerability, but if it’s used in a context where the vulnerability cannot be exploited, JAS won’t flag it as an issue. This contextual approach reduces false positives and alert fatigue.
Maintaining developer productivity
One of the most challenging aspects of implementing security controls is preventing developers from circumventing them. Developers often try to circumvent security measures if they believe a particular library or tool will help them accomplish their goals.
JFrog addresses this by making security invisible to developers in their normal workflow. Santiago compares it to electricity; developers don’t like restrictions, but when they attempt to use something dangerous, the system will alert them and suggest safe alternatives. While they are being restricted, the solution they need is also suggested.
Organizations can customize access controls through role-based permissions, ensuring developers cannot circumvent the system. They do get the flexibility to work with approved packages, repositories, and programming languages.
MCP Registry: securing AI coding assistants
The emergence of Model Context Protocol (MCP) servers has created a new security challenge. Developers are downloading MCP servers from the internet to work alongside AI coding assistants. This brings a new security risk; these servers are unmonitored. They could make calls to libraries and generate code with hidden security risks.
JFrog’s MCP Registry addresses this by cataloging, monitoring, and securing MCP servers. When a developer downloads and uses an MCP server, it becomes visible to the organization rather than operating as shadow IT. The registry tracks what calls the MCP server makes and ensures that the code it produces is secure.
This solution works in conjunction with JFrog’s AI Catalog, providing end-to-end security for AI-generated binaries. Organizations can make AI productive while maintaining governance and security controls.
Skills for Nvidia Nemo Claw
At GTC, Nvidia’s recent event, JFrog announced skills for MCP servers that work with Nvidia’s Nemo Claw environment. JFrog serves as an underlying governance layer for these skills, though the solution works with any MCP server or AI coding environment, not just Nvidia’s platform.
The skills catalog the API calls that MCP servers make, providing another layer of visibility and control over AI-assisted development workflows.
Compliance and legislation
With regulations like DORA in Europe requiring organizations to maintain software bills of materials (SBOMs) and take responsibility for their software supply chains, solutions like JFrog Artifactory are becoming mandatory rather than optional. Organizations need to track what happened to every binary, when it happened, who coded it, who deployed it, and how to remediate any issues. JFrog’s platform provides this end-to-end visibility and traceability, covering the entire lifecycle from development through runtime.
Covering the complete lifecycle
JFrog’s platform approach differentiates it from point solutions that address only specific parts of the development lifecycle. While there are good point solutions for various stages, JFrog provides one integrated platform that covers all steps for binaries from development through production. The platform includes JFrog Runtime, which analyzes binaries in real time as containers run in production, examining what’s inside containers and how they’re deployed. This comprehensive coverage means organizations don’t need to piece together multiple tools to secure their software supply chain. As AI continues to accelerate software development, the challenge of securing the resulting binaries will only intensify. JFrog’s approach demonstrates that automation and intelligent filtering are essential for maintaining security in an era where manual oversight is no longer feasible.