JFrog has launched a plugin for Anthropic's Claude Code, bringing its governance and security controls into the AI coding tool.
Available to Claude Code users, the plugin is aimed at companies seeking tighter oversight of software produced with autonomous coding agents. It gives users visibility into the software packages, dependencies and AI assets used during development.
The announcement reflects a broader shift in software development as AI coding agents move from limited trials into regular engineering work. That has increased scrutiny of how companies track the decisions these systems make when selecting dependencies, handling builds and preparing software for release.
JFrog linked the launch to its latest research in Australia, which found that 48% of organisations take a week or more to produce audit proof for a single application. The finding points to a growing mismatch between faster development cycles and the slower process of demonstrating governance and compliance.
At the centre of the product is a plugin that lets developers and security teams check artifacts and dependencies as they are used, rather than later in the release process. This enables policy checks, package security reviews, licence compliance and provenance validation within the development workflow.
The plugin also extends Claude Code with JFrog Platform Skills, which allow developers and AI agents to carry out platform operations using natural language. These operations include repository management, project provisioning, vulnerability scanning, curation checks and provenance verification.
Audit pressure
The launch comes as companies face growing pressure to show that software components are trusted and traceable. AI coding tools can speed up code generation and automate repetitive tasks, but they can also increase the number of components entering a software project if controls are weak.
JFrog's platform now manages more than 18 billion artifacts, up 136% from the previous year. It presented that increase as evidence of a sharp rise in the binaries and software components moving through modern development pipelines.
Anthropic has also publicly highlighted the security questions surrounding autonomous agents. In comments cited by JFrog, it said the industry needed more investment in agent-specific security posture, including shared benchmarks, disclosure norms, identity standards and cross-vendor red-teaming.
The concern is becoming more relevant as organisations adopt multiple AI tools rather than standardising on a single coding assistant. JFrog expects teams to use different AI agents and argues that governance needs to follow the developer across those environments.
Multi-agent model
To address that, JFrog described three layers of agent connectivity across its platform: platform skills for domain-specific tasks, MCP tools for standardised access to security and compliance data, and agent-native plugins, starting with Claude Code and also supporting Cursor and VS Code Copilot.
This structure is intended to give organisations a common system of record across multi-agent software environments. In practice, that means tracing decisions from source commits through build artifacts and making it easier for security teams to respond to incidents or audits.
Yoav Landman, Co-Founder and Chief Technology Officer at JFrog, said AI agents are increasingly acting inside the software supply chain without enough context about risk or policy. "AI agents are active participants in the software supply chain, making decisions about dependencies, builds, and deployments - but most of them are doing it blind, without any supply chain context. This is often how malicious packages, vulnerabilities, and ungoverned AI assets enter production today, exposing organisations to software supply chain attacks," he said.
He said the integration is intended to give companies more direct oversight of those decisions as AI tools become part of normal software engineering practice. "AI-enabled innovation cannot come at the expense of security or compliance. Enterprises need a universal system of record with real-time control and visibility into the decisions these agents make, that's what this integration enables," Landman said.
The launch underlines how software governance is becoming a more prominent commercial issue as businesses expand the use of AI in development. Rather than focusing only on code generation, vendors are now competing on the controls, traceability and audit trails around those systems.
For engineering leaders, the question is shifting from whether AI agents can write code to whether their actions can be governed to the same standard as human developers. JFrog's data suggests many organisations are still struggling to produce the evidence needed when auditors or incident responders ask for answers.
JFrog said the plugin gives teams end-to-end traceability from source commits to build artifacts, allowing security teams to respond faster and prove compliance without scrambling.