Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
Minder is an open source platform that helps project owners build more secure software and prove that what they’ve built is secure.
Automatically detect and fix risky external dependencies before you merge your PRs, and harden your build pipelines and software artifacts to proactively prevent supply chain attacks.
Minder by Stacklok: An open source platform to automatically apply and enforce security policies and best practices across your SDLC.
Minder is an open source, extensible platform that helps OSS maintainers and project owners automatically apply and enforce security policies and settings across groups of repos.
Configure a profile (e.g.,
PCI) with a set of rules, and apply them to a group of repos. Enable developer-friendly autoremediation actions, like commenting on PRs with a fix.
Automatically comment on PRs that include dependencies with known vulnerabilities or high supply chain risk heuristics, and verify that the right license files are being used in your repos.
Apply policies to ensure that artifacts can only be produced from specific repos and branches, and verify that artifacts have been signed and are tamper-proof, using the open source project sigstore.
"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."
Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.
Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.
When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.
Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.
Founder, Envoy proxy
“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."
A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.