Shift left on software supply chain security

Automatically detect and fix risky external dependencies before you merge your PRs, and harden your build pipelines and software artifacts to proactively prevent supply chain attacks.

Minder by Stacklok: An open source platform to automatically apply and enforce security policies and best practices across your SDLC.

How Minder can help

Minder is an open source, extensible platform that helps OSS maintainers and project owners automatically apply and enforce security policies and settings across groups of repos.

Repo configuration and security

Configure a profile (e.g., prod, PCI) with a set of rules, and apply them to a group of repos. Enable developer-friendly autoremediation actions, like commenting on PRs with a fix.

Dependency and license management

Automatically comment on PRs that include dependencies with known vulnerabilities or high supply chain risk heuristics, and verify that the right license files are being used in your repos.

CI/CD workflow and artifact security

Apply policies to ensure that artifacts can only be produced from specific repos and branches, and verify that artifacts have been signed and are tamper-proof, using the open source project sigstore.

Daniel Finneran


"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."

Make safer dependency choices

Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.

Activity scoring

Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Matt Klein

Founder, Envoy proxy

“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."

Software Supply Chain Security (S3C) Weekly

A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.

Stacklok logo
© 2024 Stacklok