Pages

08 June, 2026

Singapore software supply chains are backed by strong governance but no enforcement

JFrog, the creators of the JFrog Software Supply Chain Platform, have released the Singapore findings from its 2026 Software Supply Chain Security State of the Union report*. The findings reveal a contradiction in Singapore’s security posture: a governance framework with no tooling to enforce it. 

Source: JFrog's 2026 Software Supply Chain Security State of the Union report. Injection vulnerabilities are up 3,110% thanks to AI coding assistants, JFrog said. Cross-site scripting (XSS) Common Vulnerabilities and Exposures (CVEs) nearly tripled. SQL injection CVEs grew 445% in a single year. Injection vulnerabilities grew 3,110%. The company noted that these are decades-old vulnerability classes that are understood and preventable, but surging because "AI-assisted development produces them at a volume that outpaces any manual review process".

In a year when global software supply chain attacks reached record highs – 171,592 malicious node package manager (npm) packages (up 451%), 495 weaponised AI models on public registries, and 11.7 million new packages entering supply chains – this gap is alarming because it leaves organisations exposed in the areas where attackers are most likely to strike, JFrog said.

“Singapore has done a lot of hard work in building governance frameworks that most markets are still debating. That foundation is a genuine competitive advantage, but only if their enforcement can keep pace,” said Sunny Rao, SVP of APAC, JFrog.

“Policies that rely on manual review and human checkpoints cannot keep up with AI-driven development. The organisations that will lead from here are the ones that embed enforcement directly into the pipeline – so that every artifact, every model, and every dependency is curated, scanned, and validated before it ever reaches a developer’s machine.”

In regulated markets like Singapore, organisations are increasingly expected to provide clear, auditable records of how software, including AI-driven systems, is built, secured, and deployed. In practice, software delivery is moving faster than organisations' ability to prove what is in production.

The Singapore findings from JFrog’s annual report are drawn from 174 local respondents, part of JFrog’s global survey of 1,508 IT professionals across eight countries. On the surface, Singapore’s security metrics are impressive: the country leads all eight surveyed nations on network proxy enforcement (67%) and shows the highest rate of critical AI scrutiny in the dataset (71% insist on carefully reviewing AI-suggested fixes). But the report also exposes a consistent pattern of policy without enforcement:

- Audit readiness gap: 54% still need a week or more to produce compliance proof per application, despite 95% claiming to track application ownership – suggesting the data exists, but isn’t structured or accessible on demand.

- Approval friction that invites workarounds: 59% of developers wait a week or more for new open-source package approvals, the slowest rate in APAC.

- Shadow AI enforcement gap: 18% of Singapore organizations have policies against unauthorized AI tools but no mechanism to detect violations – the highest “policy-only” rate in the Asia-Pacific region (APAC).

- Secrets detection blind spot: Only 25% have adopted secrets detection – monitoring the accidental exposure of sensitive data across the organisation. This percentage is very close to the global average of 28%, and the most under-deployed security control in the dataset relative to threat volume, JFrog said.

JFrog’s report found that 60% of Singapore DevSecOps stakeholders cite security governance and policy enforcement as their top time burden, while 41% identify reviewing and hardening AI-generated code as a significant drain on resources. This proves that Singapore organisations are fighting machine-speed development with human-speed reviews – a bottleneck that will inevitably widen the gap between governance intent and operational reality. This operational strain is compounded by the region’s slowest open source software (OSS) approval cycles.

“Every organisation in Singapore that has invested in governance frameworks has the right intent. The next step is making those frameworks self-enforcing,” Rao added.

“That means curating trusted packages and AI models before they reach the pipeline, scanning for exposed secrets automatically rather than hoping developers catch them, and using contextual analysis to focus remediation on the vulnerabilities that actually matter in your environment. When governance is built into the platform, security teams stop being bottlenecks and start being business accelerators.”

Explore

Download the JFrog 2026 Software Supply Chain Security State of the Union report at https://jfrog.com/software-supply-chain-state-of-union/

The APAC regional analysis is available at https://jfrog.com/blog/the-ai-governance-gap-2026-software-supply-chain-report/

*The 2026 JFrog Software Supply Chain Security State of the Union combines JFrog Platform usage data, JFrog Security Research vulnerability analyses, and findings from a commissioned survey of 1,508 full-time security, DevOps, and IT professionals (January–February 2026) across the US, UK, France, Germany, India, Australia, Spain, and Singapore (Singapore n=174; APAC n=506). The research was conducted by Atomik Research. The margin of error for the overall sample is +/- 3 percentage points with a confidence level of 95%.

No comments:

Post a Comment