What is jfrog curation
Last updated: April 1, 2026
Key Facts
- JFrog Curation operates at the package acquisition stage, blocking risky dependencies before they enter repositories
- It works with Artifactory's remote repositories by analyzing client requests and applying security policy conditions
- JFrog Curation complements tools like Xray and Advanced Security for comprehensive software supply chain protection
- The platform includes AI-assisted capabilities for faster analysis and automated remediation of security vulnerabilities
- JFrog Curation is part of the JFrog Software Supply Chain Platform used by over 1 million developers globally
Overview
JFrog Curation is an enterprise-grade security solution designed to defend organizations against malicious and vulnerable open-source packages. It represents a proactive approach to software supply chain security by addressing threats at the earliest possible point—before packages even enter an organization's development ecosystem.
How JFrog Curation Works
Unlike traditional security tools that scan dependencies after they've been downloaded, JFrog Curation intercepts package requests at the repository level. When developers or build systems request open-source packages through Artifactory's remote repositories, Curation analyzes each request against configurable security policies. If a package matches risk criteria—such as known vulnerabilities, malicious signatures, or licensing issues—it blocks the download immediately, preventing the risky dependency from ever entering the software supply chain.
Integration with JFrog Platform
Curation works seamlessly within the broader JFrog Software Supply Chain Platform alongside complementary tools:
- Artifactory: Serves as the repository manager where Curation enforces policies
- Xray: Continuously monitors dependencies throughout the entire software development lifecycle
- Advanced Security: Provides advanced threat detection and vulnerability management
Key Features and Benefits
The primary advantage of JFrog Curation is its position as the first line of defense. By preventing risky packages from entering development environments, organizations eliminate entire categories of downstream security incidents. Teams avoid wasting resources investigating and remediating vulnerabilities that could have been prevented at acquisition time. This approach significantly reduces both security risk and operational overhead.
AI-Assisted Curation
Recent developments in JFrog Curation include agentic software supply chain security powered by artificial intelligence. AI-assisted curation reduces delays in sourcing and compliance checks, allowing developers to spend less time researching libraries and more time innovating. The system can recommend secure alternatives to blocked packages and automate remediation workflows, yielding faster coding cycles and quicker resolution of security concerns.
Related Questions
What is the difference between JFrog Curation and Xray?
Curation blocks risky packages at the acquisition stage before they're downloaded, while Xray continuously monitors dependencies throughout the entire software development lifecycle and production environments. Curation is preventative; Xray is detective and responsive.
How does JFrog Curation prevent supply chain attacks?
By analyzing packages before they enter repositories and applying security policies that block malicious, vulnerable, or non-compliant packages, Curation eliminates the attack vector at the source. This prevents compromised dependencies from ever reaching development or production systems.
What policies can be configured in JFrog Curation?
Organizations can configure policies based on vulnerability severity, license compliance requirements, known malicious signatures, and custom security rules. These policies automatically block packages matching specified criteria when developers request them.