We’re excited to announce our integration with JFrog Evidence, bringing verifiable proof of open-source vulnerability remediation directly into the software supply chain.
With this integration, organizations using JFrog Artifactory can automatically attach cryptographically signed evidence of vulnerability scans and fixes to every build artifact - making it easier than ever to prove security, ensure compliance, and maintain trust in software releases.
Why this matters
As software supply chains grow more complex, proving that vulnerabilities were remediated - not just detected - is becoming essential for DevSecOps teams.
By connecting Resolved Security’s automated remediation engine with JFrog’s Evidence Collection, every artifact produced in CI/CD gains a verifiable record of its security state: what was fixed, when, and by whom.
- Policy enforcement & governance
Using JFrog Evidence, teams can automatically block or promote artifacts based on the presence and validity of Resolved Security’s remediation evidence. This enables policy-driven governance, ensuring only compliant, remediated artifacts advance through the pipeline. - Compliance auditing
The integration embeds signed, immutable remediation metadata directly into artifacts - providing audit-ready evidence of continuous vulnerability management. This supports frameworks like SOC 2, ISO 27001, and NIST 800-53, eliminating manual audit prep and enabling real-time compliance attestation.
Integration highlights
- Automatic open-source vulnerability remediation - Secure, drop-in replacements for vulnerable libraries without disruptive upgrades.
- Automated evidence attachment - Generates and signs remediation evidence automatically during CI/CD.
- Verifiable remediation proof - Attaches cryptographically signed metadata showing which vulnerabilities were fixed by Resolved Security.
- Full traceability - Links each artifact in JFrog Artifactory to its remediation history for transparent audits.
- Policy-based control - Enforce promotion gates based on remediation status to ensure secure, compliant releases.
- Compliance-ready reporting - Provides immutable proof of vulnerability management for security and compliance audits.
How it works
During CI/CD builds, Resolved Security scans dependencies and applies fixes automatically.
The integration then uses JFrog’s CLI to attach a signed record - including fixed CVEs, timestamps, and metadata - to the corresponding artifact in Artifactory.
Artifacts missing valid evidence or containing unresolved vulnerabilities can be automatically blocked from promotion or release, ensuring continuous compliance throughout the pipeline.
Business impact
- Security teams: Gain verifiable proof of remediation without manual tracking.
- DevOps teams: Keep pipelines fast and automated with zero build disruption.
- Compliance teams: Access audit-ready evidence that every artifact meets organizational standards.
The result: stronger governance, faster audits, and reduced risk - all without slowing down development.
About Resolved Security
Resolved Security automatically remediates open-source vulnerabilities without requiring disruptive dependency upgrades. We deliver secure-by-default, drop-in replacements of open-source libraries enhanced with upstream security fixes - enabling fast, stable, and secure development at scale.
About JFrog Evidence
JFrog Evidence provides an automated, tamper-proof way to collect and manage attestations across the software supply chain. It integrates directly with JFrog Artifactory and CI/CD workflows, ensuring every artifact carries trusted metadata for security, compliance, and provenance.
