JFrog Ltd, the Liquid Software company and creators of the JFrog Software Supply Chain Platform, released the Singapore findings from its 2026 Software Supply Chain Security State of the Union report. The findings reveal a striking contradiction in Singapore’s security posture: a carefully constructed governance framework with no tooling to enforce it. In a year when global software supply chain attacks reached record highs – 171,592 malicious npm packages (up 451 per cent), 495 weaponised AI models on public registries, and 11.7 million new packages entering supply chains – this gap is alarming because it leaves organisations exposed in the areas where attackers are most likely to strike.
“Singapore has done a lot of hard work in building governance frameworks that most markets are still debating. That foundation is a genuine competitive advantage, but only if its enforcement can keep pace,” said Sunny Rao, SVP of APAC, JFrog. “Policies that rely on manual review and human checkpoints cannot keep up with AI-driven development. The organisations that will lead from here are the ones that embed enforcement directly into the pipeline – so that every artefact, every model, and every dependency is curated, scanned, and validated before it ever reaches a developer’s machine.”
In regulated markets like Singapore, organisations are increasingly expected to provide clear, auditable records of how software, including AI-driven systems, is built, secured, and deployed. In practice, software delivery is moving faster than organisations' ability to prove what is in production.
The Singapore findings from JFrog’s annual report are drawn from 174 local respondents, part of JFrog’s global survey of 1,508 IT professionals across eight countries. On the surface, Singapore’s security metrics are impressive: the country leads all eight surveyed nations on network proxy enforcement (67 per cent) and shows the highest rate of critical AI scrutiny in the dataset (71 per cent insist on carefully reviewing AI-suggested fixes). But the report also exposes a consistent pattern of policy without enforcement:
Audit readiness gap: 54 per cent need a week or more to produce compliance proof per application, despite 95 per cent claiming to track application ownership – suggesting the data exists but isn’t structured or accessible on demand.
Approval friction that invites workarounds: 59 per cent of developers wait a week or more for new open-source package approvals, the slowest rate in APAC.
Shadow AI enforcement gap: 18 per cent of Singapore organisations have policies against unauthorised AI tools but no mechanism to detect violations – the highest “policy-only” rate in APAC.
Secrets detection blind spot: Only 25 per cent have adopted secrets detection – virtually unchanged from the global average of 28 per cent, and the most under-deployed security control in the dataset relative to threat volume.
Manual review cannot keep pace with the speed of AI development
JFrog’s report found that 60 per cent of Singapore DevSecOps stakeholders cite security governance and policy enforcement as their top time burden, while 41 per cent identify reviewing and hardening AI-generated code as a significant drain on resources. This proves that Singapore organisations are fighting machine-speed development with human-speed reviews – a bottleneck that will inevitably widen the gap between governance intent and operational reality. This operational strain is compounded by the region’s slowest OSS approval cycles.
“Every organisation in Singapore that has invested in governance frameworks has the right intent. The next step is making those frameworks self-enforcing,” Rao added. “That means curating trusted packages and AI models before they reach the pipeline, scanning for exposed secrets automatically rather than hoping developers catch them, and using contextual analysis to focus remediation on the vulnerabilities that actually matter in your environment. When governance is built into the platform, security teams stop being bottlenecks and start being business accelerators.”
