In a previous post, we talked about several exciting capabilities available with the Tidelift Subscription that enable enterprise development teams to shift further left when it comes to keeping their applications secure and well maintained.
Today, we want to dig deeper into our IDE integrations and their capabilities that make it easy for developers to:
Most traditional software composition analysis (SCA) tools already provide IDE integrations that flag vulnerabilities. But where these tools are effective at identifying issues, they often create a cumbersome remediation process for developers.
Imagine this: a developer commits new code that introduces a vulnerability brought in by an open source package, triggering a violation from their SCA tool. This sets off a chain reaction, with security teams getting involved, or automated notifications sent out, resulting in a time-consuming, bureaucratic process that’s frustrating for the developer and an inefficient use of precious security and engineering resources.
Tidelift’s IDE integration simplifies the workflow by identifying issues proactively before code is committed. This allows developers to address problems efficiently and at the time they are introduced. The IDE integration also helps development teams become more productive by highlighting which remediation actions will have the biggest impact and providing the ability to bulk resolve issues, instead of addressing them one-at-a-time. By addressing these issues first, developers can often resolve issues with fewer actions.
Let’s dig deeper!
Let's start by looking at a typical IDE output from a traditional SCA tool shown below.
Image 1: output of vulnerabilities impacting open source software
Because traditional SCA tools are only focused on vulnerabilities, what they do best is provide a list of all vulnerabilities impacting your open source usage. But vulnerabilities alone are a very narrow view into application risk. They miss the risk associated with licensing issues, end-of-life versions, and packages that might have been deprecated or abandoned—or are at risk of becoming so.
Image 2: output of all issues impacting open source software via Tidelift’s IDE integration
In addition to flagging vulnerabilities, Tidelift also flags a variety of additional issues that expose your organization to risk. These include license issues, packages and versions that are either deprecated or past end-of-life, versions that aren’t up to date, to name just a few examples.
We believe that the risk associated with using end-of-life components alone could far outweigh the risks associated with vulnerabilities that might have a low CVSS score, or vulnerabilities that have a low likelihood of being exploited.
If you’re a developer or a development manager, this granular view into many types of issues beyond vulnerabilities gives you a more holistic sense of all the risk vectors impacting your organization. It allows you to prioritize the work required to remediate vulnerabilities and tech debt, and to do it in a manner that is most impactful at reducing security risks.
Another differentiated capability in Tidelift’s IDE integration is the availability of specific developer actions to remediate policy violations, like those shown in image 3. Most traditional SCA tools provide actions to remediate specific violations. Tidelift takes a unique approach by considering all the violations across the specific application in question, including various violation types, and provides recommendations that help you remediate as many violations as possible with one action. For example, instead of presenting 15 actions for 15 violations, Tidelift tries to consolidate where possible and show one action that remediates multiple problems.
Image 3: example of how these actions are presented via the Tidelift IDE integration
Tidelift takes into consideration all of the violations—license issues, vulnerabilities, deprecated packages, and more—and provides recommendations for the specific actions to take, and the resulting improvements. With this information in hand, a development manager can compile a prioritized list of actions for the team to take based on the actions to take that will have the largest impact on removing risk. For example, as seen in Image 3, if the development team prioritized updating webpack from 4.46.0 to 5.0.0, it would lead to a resolution of 45 violations and remediation of the risk associated with those violations. The biggest value here is that you or your team do not need to waste time associated with evaluating individual violations one-at-a-time, instead you can bulk resolve violations in a much more efficient manner.
There are instances where you can take this a step further, where you might have multiple actions that can be taken for the same dependency.
Image 4: example of multiple actions available for remediation
Here, the team can see that migrating from css-loader 2.1.1 to 5.0.0 would resolve 10 violations, whereas migrating to css-loader 6.0 would resolve 8 issues. Engineering teams are in the best position to understand the benefits and tradeoffs of different migration options. Tidelift gives you the ability to evaluate all options so that you can see the trade-offs and make the decision that's most practical for you.
As we shared in the example above, we are keenly aware of the pain developers and security teams feel with the traditional SCA workflow. A developer might introduce a new dependency with issues, but those issues don’t get flagged until much later in development during the CI/CD process, where the security team gets involved and the process becomes much more painstaking and cumbersome. This often leads to extra work, with the developer having to back pedal and triage to understand how and where the new dependency is being used while also identifying the available options to remediate the issue.
Tidelift’s IDE capabilities truly enable a shift left tactic for developers here.
Image 5: example of a new dependency being introduced
Tidelift helps developers avoid rework by monitoring an application’s manifest file for changes, and allows us to proactively notify developers when new dependencies are introduced that might have issues—not just in these direct dependencies but in their transitive dependencies as well. This in-the-moment alert is a powerful timesaver for developers, making it easier to problem solve by understanding what the issue is and evaluating the best approach to move forward—whether that be considering another dependency or proactively discussing the tradeoffs associated with using a dependency that has issues that might add risk.
This approach helps ensure that development teams are not adding new issues and risks, and avoiding duplicate work where possible.
I hope these examples above have given you a clearer sense for how Tidelift's IDE integrations offer a way to shift security choices further left in the development cycle, while also proactively reducing the time developers spend remediating the issues uncovered in the development process.
By directly integrating with your development environment, Tidelift shows developers not just the vulnerabilities, but also exact actions they can take to resolve those issues—all within their IDE. The integration provides more than just alerts; it highlights the scale of impact each action has, allowing development teams to prioritize their work effectively.
The result is fewer build rejections, less friction with security teams, and faster development cycles. Moreover, Tidelift helps organizations shift left by enabling developers to take a more holistic approach to identifying and addressing risks early in the development process, well before they reach production. Developers no longer have to wait for SCA results or feedback from security teams—they can act on the issues as soon as they arise.
Please watch the demo below to see the features described above in action.