<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Finding #5: The best practice of centrally managing a repository of approved open source components is growing rapidly

Chris Grams
by Chris Grams
on May 10, 2022

Don't miss the latest from Tidelift

In December of 2021, Tidelift fielded our annual survey of technologists who use open source to build applications at work. Nearly 700 people shared how they use open source software today, what holds them back, and what tools and strategies help them use it even more effectively.

In this post, we share the fifth of seven key findings. If you don’t want to wait for the rest of the results, you can download the full survey report right now at the link below.

Download Survey


Over the past few years, several analyst firms including Gartner and IDC and leading open source management experts have recommended that organizations interested in more effectively managing open source security, maintenance, and licensing should consider creating and maintaining a centralized repository of approved open source components. The core benefits of this approach are:

1) Developers can move faster. When pulling from the approved repository, developers don’t get bogged down by a slow approval process like we saw many large organizations have today in our previous survey findings. When introducing new components, they are only vetted once, then once approved, can be used by developers across the organization without having to go through approval again. This makes the entire development team more efficient as the repository of approved components grows over time.

2) Open source security improves. When a vulnerability like Log4Shell emerges, rather than a slow search-and-remediate mission throughout the organization, a central repository can help quickly identify where the impacted components are being used. Then a consistent remediation recommendation for impacted applications can be applied quickly, everywhere the impacted component is in use. A centralized repository also gives development leaders one place to track components and versions that have already been pre-vetted to meet the organization’s security, maintenance, and licensing standards and policies. Rather than expecting individual developers to become experts regarding these complex issues, decisions are made centrally, for the entire organization at once.

In this year’s survey we wanted to see how much the centralized repository of approved open source components best practice is already in use in organizations.


We found that 65% of organizations are already using centralized repositories to
track open source components, whether for just a few business segments within the organization (27%), for most or all applications (22%), or are piloting or actively testing this approach (16%). Only 26% of respondents report that their organization has no near term plans to use centralized repositories to track open source.


As with many of the other questions in this survey, we also broke the results down by organization size. Of note, 75% of organizations with over 10,000 employees are already using centralized repositories to track open source components or are piloting their use. And 37% of these large organizations are already using centralized repositories for most or all business segments.

Meanwhile, smaller organizations are much less likely to be using centralized repositories, with only 19% using them throughout the organization and 32% with no near-term plans to use them.

We hope you found some useful and actionable information in this blog post. If you’d like to get notified as future posts come out, please sign up for our blog digest here. Or if you don’t want to wait, download the full survey results today!

New call-to-action