A new approach to software security

Malicious attacks are becoming more sophisticated, and AI is making it easier and faster for attackers to execute them. We need new ways to detect and prevent supply chain attacks. Stacklok is developing new tools and approaches, in alignment with open source communities.

Video Overview

Learn more about our approach

This video explains how Stacklok's products, Trusty and Minder, work together to help secure your software supply chain and proactively protect your software projects from malicious attacks.

Minder Cloud

Minder Cloud helps open source developers and communities use open source security tools and standards to continuously secure their software projects, and provide proof of that security to their downstream consumers.

Consistently configure source code repos

No more manual configuration and spreadsheets. Use Minder Cloud to apply and consistently enforce the same set of policies across a group of project repos.

Find safer open source dependencies

Minder flags dependencies in pull requests that have known CVEs or high supply chain risk, and provides a list of safer alternatives to help developers find a different package to use.

Secure GitHub Actions and CI/CD pipelines

Implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (Minder can even do this automatically for you!). 

Daniel Finneran


"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."

Make safer dependency choices

Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.

Activity scoring

Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Matt Klein

Founder, Envoy proxy

“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."

Software Supply Chain Security (S3C) Weekly

A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.

Latest News

Introducing the Trusty Dependency Risk Action: Automatically scan PRs for unsafe dependencies

Megan Bruce /
Jul 18, 2024
Continue Reading

Secrets management: GitHub-native tools and best practices to keep your secrets safe

Stacklok /
Jul 16, 2024
Continue Reading

Securing our security platform: Findings from Minder's independent security audit

Stacklok /
Jul 12, 2024
Continue Reading