Our mission at Tidelift is to make open source work better—for everyone. One key element of our strategy is to partner with maintainers and pay them to validate that their open source packages meet industry standards that improve the overall health and resilience of the open source software supply chain. At the same time, we work with our customers, open source consumers, to implement a proactive approach to using and managing the open source that powers their applications.
Today, we’re excited to announce the release of the quality checks functionality in the Tidelift Subscription which makes it possible for our customers to become more proactive and make informed decisions about which open source packages to approve or deny for usage in their software development lifecycle.
What is the quality checks functionality?
Tidelift’s partnered maintainers undertake the work to validate that their open source packages align with a set of industry standards drawn from efforts like the OpenSSF Security Scorecard checks, CIS Software Supply Chain Security Guide, and OpenSSF Best Practices to name a few.
The quality checks functionality packages up the work done by maintainers and makes it available to our customers as easy to consume data about the standards and the status of those standards for a specific package.
Please visit our documentation portal to learn more about the quality checks.
What is the value of this data?
Through our partnership with open source maintainers, Tidelift is uniquely positioned to provide verified package-specific data directly from maintainers. Our customers use this data to proactively assess the risk profile of a specific package and whether it should be approved for use or not.
Without this data, development leaders who own these decisions and the related consequences are faced with researching and investigating packages themselves, which takes time and is often difficult because of lack of verified data.
Open source related risks and vulnerabilities can never be completely eliminated, but with proactive, informed decision- making, organizations can drastically increase developer happiness and cut down the time they waste re-working code based on SCA reports.
When maintainers undertake the work to validate that their open source packages align with the standards we’ve outlined, they inherently make their package healthier and more resilient, thus also making the underlying open source software supply chain more resilient. At the same time, our customers are choosing more resilient open source packages, thus improving the health and resilience of the applications they build.
If you’re an existing customer, this functionality is available to you directly through your subscription. If you’re new to Tidelift, we invite you to learn more about how the Tidelift Subscription can help your organization manage open source effectively.