Is your organization struggling to track the usage of open source packages across development teams? When downloading open source packages, does your organization have a plan in place to ensure these packages are up to organization standards that provide a safeguard in the chance of vulnerabilities?
With the Tidelift Subscription, customers can gain visibility into the open source software in use at their organization and mitigate long-term organizational risk by standardizing open source software management practices and policies across the organization. In the following demo, Tidelift Solutions Architect Larry Copeland walks through the ways in which your organization can upload (or create) a software bill of materials (SBOM) in Tidelift and how organizations can establish and apply agreed upon standards to effectively manage open source package usage across the organization.
Uploading an SBOM into Tidelift
Tidelift provides flexible APIs which organizations can use to upload their SBOM into the Tidelift Subscription to see valuable package metadata for direct and transitive open source dependencies. Tidelift can also generate SBOMs based off of manifests and lockfiles for common package managers.
Once an SBOM has been uploaded into Tidelift, users can easily access open source package specific information such as: versioning, license, whether or not the package is a direct or transitive dependency, if the dependency scope is a development or runtime dependency, and much more. You can learn more about SBOM functionality by reading our documentation.
Catalogs in the Tidelift Subscription
Whether you upload existing SBOMs or generate them with Tidelift, the catalog functionality displays information gathered from SBOM imports and provides centralized visibility into which open source packages are approved (and denied) for use across the organization. The catalog makes it easy to filter packages by platform (npm, maven, etc) or search for a specific package by name. In addition to package metadata, Tidelift also provides version guidance, vulnerability information, and insights on security and development practices implemented to assess a package’s enterprise readiness. You can learn more about catalog functionality by reading our documentation.
Configuring open source standards
Through our catalog standards functionality organizations can set up the types of checks packages must be evaluated against to mitigate long-term risk. Tidelift provides an evolving collection of standards that check packages in your catalog for security, licensing, and maintenance related issues. Tidelift notifies you when there are standards violations, taking the guesswork (and legwork) out of catalog management. You can learn more about standards functionality by reading our documentation.