We’re excited to announce the availability of new capabilities with the Tidelift Subscription that help our customers shift left by enabling their development teams to reduce risk to their revenue, data, and customers by identifying and eliminating bad, risky open source packages as early as possible.
Bad packages (by which we mean bad-for-enterprise-use packages that are end-of-life, abandoned, or insecure) lead to more vulnerabilities, many of which are difficult and costly, if not impossible, to fix without complicated migrations to alternative packages.
Tidelift takes a unique, data driven approach to addressing the issue of bad packages. Tidelift partners with the maintainers of thousands of the most-relied-upon open source packages and pays them to implement industry-leading secure software development practices and document the practices they follow. The result is a unique source of cross-ecosystem package intelligence that customers use to identify and eliminate bad packages.
Recognizing the constant pressure and need to deliver features quickly, we have been working to make it easier for enterprise developers to shift left and make informed decisions about the packages they choose by providing our open source package insights within their preferred workflows.
Tidelift has developed a number of integrations that allow developers to avoid bad packages, and reduce risk in your environment, at critical points in the development lifecycle:
We’ll start with covering the browser integration and the integrated development environment integration. Both these integrations provide all of the package and package version insights available with the Tidelift Subscription, specifically:
Tidelift now provides integrations with Google Chrome and Microsoft Edge that make it easy for developers to analyze software fitness when viewing an open source package or package version on GitHub or in a package manager such as NPM or PyPI.
This information can be used by enterprise developers to quickly assess the overall health and security of the package and whether or not the package should be used for application development. This information can also be downloaded as a .pdf and shared with stakeholders as needed. This allows developers to make better choices when choosing components to use in building their applications.
Tidelift has built IDE beta integrations with VSCode and IntelliJ, making it easier for developers to catch issues with their software before they go into production.
This information can be used by enterprise developers to quickly assess the overall quality of the package and whether or not the package should be used for application development. The IDE integration tracks developer changes in real time, notifying developers when changes they make will bring in packages or releases that are not enterprise quality, or up to corporate standards. This allows issues to be discovered before they are committed to code and pushed to production.
Tidelift integrates with GitLab Pipelines and Code Quality to allow developers to see where new issues are being introduced into the code base. Checks run on each merge request that flag any newly introduced issues that would add risk to your environment. Developers can then fix these issues faster, and avoid known issues from being introduced into their code base.
Watch this short video to learn more
Contact us or read our documentation to learn more about how Tidelift can help you remove risk to your revenue, data, and customers from bad open source packages.