Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

What is cloud application security? Cloud application security is the set of practices, tools, and policies that protect applications running in cloud environments across their entire lifecycle—from code development through CI/CD pipelines to production runtime. Unlike traditional perimeter security, it must protect multiple layers simultaneously: application code, container images, Kubernetes orchestration, and underlying cloud infrastructure under the shared responsibility model.

Compliance evidence only works if it reflects the current state of the system. At Aikido, we’ve always treated compliance as a byproduct of good security, not a separate exercise teams need to prepare for. That’s why Aikido integrates with multiple compliance platforms. The goal is simple: let teams use the security data generated in Aikido wherever they run their compliance programs, without changing how they work or maintaining parallel processes.

As part of the JFrog Security Research team’s ongoing work, we continuously monitor newly published packages across multiple ecosystems for malicious activity. This effort serves the broader open source community through public research disclosures, and it directly impacts the detection capabilities behind JFrog Xray and JFrog Curation. Our scanning pipeline uses a broad set of indicators to detect suspicious behavior.

Aikido Package Health surfaces the true health of an open source package with a single score. It helps devs understand stability, maintenance quality, and supply-chain risk before installing a dependency. Aikido Package Health is a public service that assigns a clear Health Score to open source packages. It gives you an honest signal about which dependencies are well-maintained and safe to adopt, and which ones might need extra scrutiny before you pull them into your project. The goal is simple.

The difference between a secure organization and a breached one depends on how well security is embedded into the Software Development Life Cycle (SDLC). Is security a built-in capability, or was it added after the core architecture was already in place? When it’s the latter, security is scattered and breaches happen.

Open source is one of the best things to ever happen to software development. It is also one of the easiest ways to accidentally ship legal obligations you did not sign up for. Most teams know they rely heavily on open-source dependencies. Fewer teams know exactly what licenses those dependencies use, what obligations come with them, or how those licenses travel through transitive dependencies and container images. That gap is what we call open-source license risk.