How APAC firms are handling software supply chain security

• APAC reported wider use of software supply chain security and AI governance tools.
• Australia, India, and Singapore led in enforcement, OSS scanning, and network controls.

JFrog’s 2026 Software Supply Chain Security State of the Union report found that organisations in Australia, India, and Singapore reported broader use of software supply chain security tools than other regions covered in its survey. The APAC respondents also reported wider use of AI governance controls.

The report found that APAC performed above other regions on four of the five main security and AI governance metrics assessed. These included security tooling, AI input and output checks, unauthorised AI use detection, and open-source software controls.

The report cited existing regulatory and compliance frameworks in Singapore and Australia. The report cited Singapore’s Technology Risk Management Guidelines and Australia’s Essential Eight framework as examples of measures that have encouraged governance controls.

The APAC respondent base also leaned toward large enterprises with more than 5,000 employees.

The findings also showed clear differences between the three APAC markets. Australia, India, and Singapore varied by 16 to 20 percentage points across several areas, including AI trust, security automation, and open-source software governance.

Australia leads in automated enforcement

Australia’s results were marked by automated enforcement. The country had the highest reported use of automated controls to block unapproved integrated development environment extensions and MCP servers, at 47%.

Australia also reported the highest rate of self-hosted AI model deployment, at 61%.

In open-source software approvals, Australia recorded the fastest result in APAC. Fifty-three per cent of Australian respondents said packages were approved within five days.

Australia also led the region in full provenance visibility, at 67%. Provenance visibility refers to the ability to trace the origin, ownership, and changes of software components across the development process.

The report also found that 15% of Australian respondents relied on developer self-governance.

India reports higher trust in AI fixes

India reported high use of automation in software approvals and AI-assisted security workflows. The country had the highest rate of unconditional trust in AI-suggested security fixes among all surveyed markets.

Thirty-four per cent of Indian respondents said they would use an AI-suggested security fix as the definitive solution after a quick review. The report said this was nearly four times the rate recorded in Spain and twice the non-APAC average.

India led globally in automated open-source software approval scanning, at 57%. It also had the highest rate of package auto-updates tied to passing security scans, at 38%.

The report found that India recorded the highest AI input and output monitoring rate in the dataset, at 87%. This refers to checks on data sent into AI systems and the responses produced by those systems.

Singapore focuses on controlled access

Singapore led globally in network proxy enforcement for blocking unapproved package registries, at 67%.

Network proxy enforcement allows organisations to control which external repositories or registries developers can access.

Singapore also had the slowest open-source software package approval process among the three APAC markets. Fifty-nine per cent of Singapore respondents said package approval took a week or more.

Eighteen per cent of Singapore respondents said their organisation had a policy against unauthorised AI tools but no mechanism to detect violations.

Singapore respondents also showed the lowest level of trust in AI-suggested security fixes among the APAC markets. Eighteen per cent said they would treat an AI recommendation as definitive, while 71% said they would require careful review before implementation.

AI model use varies by market

The report also compared how organisations consume AI models. It found that the US relied more heavily on commercial cloud APIs, with 54% using services such as OpenAI, Claude, or Gemini as their primary AI model source.

Australia was the strongest self-hosted market, India reported higher cloud API use at 44%and Singapore recorded cloud API use at 39%.

Security controls differ by layer

The report also found that each APAC country led in a different layer of software supply chain security. Australia led in controls at the developer workstation level.

India led in open-source software pipeline scanning. Singapore led in network-level enforcement.

Developer workstation controls block unapproved tools before they interact with code. Pipeline scanning checks packages during ingestion.

Network enforcement limits access to approved software registries.

Secrets detection remains less widely deployed

JFrog reported lower deployment of secrets detection across the three APAC markets than several other security controls. Secrets detection refers to scanning codebases for exposed credentials, API keys, and tokens.

Australia had the highest APAC rate for secrets detection, at 38%.

Want to experience the full spectrum of enterprise technology innovation? Join TechEx in Amsterdam, California, and London. Covering AI, Big Data, Cyber Security, IoT, Digital Transformation, Intelligent Automation, Edge Computing, and Data Centres, TechEx brings together global leaders to share real-world use cases and in-depth insights. Click here for more information.