Trusty provides a free-to-use service with scoring and metrics about a package’s repo and author activity.
At Stacklok, we believe that the open source software supply chain represents one of the greatest technical treasures and sources of human innovation. We also see open source software as a tantalizing target for sophisticated hostile actors. Malware injection into the open source software supply chain is the most significant cyberthreat facing the software industry—and we want to help prevent it.
Our team's background is in creating, maintaining, and scaling open source systems, including Kubernetes and Sigstore. We're drawing on our expertise in open source and security to give developers and open source communities better tools to secure their software and manage external dependency risk.
The origin of Stacklok began with the idea that signing and verifying software can and should be dramatically simpler. Consuming software from an unknown origin represents a huge security risk—and yet the majority of open source software isn't signed today, likely because the practice of doing so has been historically cumbersome.
Stacklok CTO Luke Hinds founded the open source project Sigstore in 2020 as a way to make this process easier. Sigstore provides free certificates and tools to automate and verify signatures of source code, and makes those certificates visible, discoverable, and auditable.
In the light of Executive Order 14028, it's clear that enterprise developers and open source communities will start to be held to stricter standards for supply chain security—beyond just signing their source code. And yet developers and communities still don't have many freely accessible tools to help them build safer software, and accurately evaluate dependency safety.
Enter Stacklok. We're building free-to-use products to help developers make better assessments about the dependencies they're using, and clear assertions about the security of the software they're building.
Stacklok’s mission is to make it easier to securely develop software. We help developers better understand how their practices and choices impact the security of the software they produce, and we enable companies to implement and insist on practices that lead to safer software delivery and better production security posture.
We seek out the strengths in ourselves and one another and rely on those strengths to balance our mutual shortcomings.
We believe that the good work we do has the potential to make the world a fundamentally safer place for our loved ones.
When we succeed we look out and see the contributions of others.
We are curious by nature and believe in the power of experimentation and incremental improvement.
Stacklok’s leaders have spent their careers conceiving, building and supporting open source projects and communities.
Co-Founder & CEO
Co-Founder & CEO
Craig McLuckie, CEO of Stacklok, is an experienced startup founder and leader in the open source ecosystem and cloud computing. Prior to Stacklok, Craig was the founder and CEO of Heptio, an Accel and Madrona Portfolio Company. After the acquisition of Heptio by VMware for $500 million, he served as VP R&D at VMware for 3.5 years, where he managed a team of over 1,500 engineers and supported the growth of the Tanzu business from ~$50M to close to $1B through organic and inorganic growth (acquisition). He participated in shaping VMware’s overall strategy around cloud native apps, which will likely remain a significant area of focus, even given the Broadcom acquisition announcement. He sponsored key innovation efforts like Tanzu Application Platform, a logical successor to Pivotal Cloud Foundry, and managed the Spring engineering team, amongst other developer-focused efforts.
Prior to Heptio, Craig was a product management leader at Google, where he co-founded Kubernetes, a highly successful open source project that is used or being evaluated by 96% of organizations, according to a recent survey. Craig also bootstrapped and chaired the Cloud Native Computing Foundation, an open source, vendor-neutral hub and host for multiple cloud native open source projects. Additionally, during his time at Google, Craig and Heptio co-founder Joe Beda created and drove the delivery of Google Compute Engine, which emerged as the anchor for Google’s cloud strategy.
Co-Founder & CTO
Co-Founder & CTO
Luke is a highly regarded and industry-recognized open source security leader and a former Distinguished Engineer from the Red Hat CTO office. While at Red Hat, Luke led a security engineering team in the Office of the CTO, where open source projects such as enarx and keylime were built.
In 2020, Luke founded Sigstore, an open source project that dramatically simplifies the process of digitally signing and checking software components, for a safer chain-of-custody tracing software back to the source. He currently acts as the chair of Sigstore’s technical steering committee. He is among the founding members of OpenSSF, a cross-industry organization that brings together the industry’s most important open source security initiatives and the individuals and companies that support them. He currently serves as an OpenSSF Governing Board Member and previously served in a community-elected position on the Technical Advisory Council. Luke also manages the vulnerability bug bounty program for Kubernetes. He is a board member of the Confidential Computing Consortium.
Luke is widely considered an authority on open source supply chain security and is often invited to speak at events including the RSA Conference and Kubecon / CloudNativeCon.
VP Of Product
VP Of Product
Eryn is VP of Product Management at Stacklok, where she leads business and product efforts to enable developers and secure software supply chains using open source technologies.Eryn has spent the last nine years enabling enterprise adoption of Kubernetes and cloud native computing technologies during her time at VMware, Heptio, and Mesosphere.
Most recently at VMware, Eryn led platform product management for VMware’s Tanzu cloud native computing business. Eryn has a deep understanding of the challenges with shipping software securely and putting open source technologies into production systems.
Eryn is a Pacific Northwest native and can usually be found skiing down or hiking up mountains.
Principal Software Engineer
Principal Software Engineer
Evan Anderson is a Principal Software Engineer at Stacklok, securing software supply chains using open source technologies.
He has been working in cloud for almost 20 years, starting at Google’s private cloud and then building Google Compute Engine and various serverless offerings, including Cloud Functions, Cloud Run, and Knative.
About 4 years ago, Evan joined VMware as a Senior Staff Engineer, working on Tanzu Application Platform until June 2023.
Director of Engineering
Director of Engineering
Brian Dussault is the Director of Engineering at Stacklok, where he is focused on securing the software supply chain.
Prior to joining Stacklok, he was a Senior Director of Engineering at VMware. At VMware, he led the popular open source Spring Framework, which is used and trusted by millions of Java developers around the world.
After spending the last 10 years operating an open source project at scale, he has developed a deep understanding and empathy for the software supply chain challenges faced by consumers and producers of open source software.
Director of Product Marketing
Director of Product Marketing
Megan is the Director of Product Marketing at Stacklok. Prior to Stacklok, she worked as a product manager at Google Cloud, providing go-to-market and user research support for Google Cloud's serverless orchestration products and helping to build fault injection tooling for developers.
Megan previously worked in both product marketing and product management leadership roles at VMware. She joined VMware after its acquisition of Heptio, and helped to establish the initial Tanzu platform brand, messaging, and enterprise go-to-market strategy. She also supported go-to-market and product management efforts for VMware Tanzu Mission Control, a Kubernetes cluster management platform.
Megan is a former co-chair of Open Seattle, a volunteer civic technology organization. She also co-founded the Civic User Testing Group with University of Washington associate professor Nic Weber to engage Seattle citizens in testing and providing feedback on local civic technology projects.
We are doing important, interesting work at Stacklok, but topmost is the way we treat each other like human beings should. Sometimes, a list of ‘core values’ is entirely aspirational. Here at Stacklok it is a statement of fact.
I was interested in supply chain security before joining, and I believe that we can make a difference in making software safer at Stacklok. Another reason I love working here is because we stay true to our culture. We’re unlike other startups that have a ‘work hard, burn fast’ attitude … we encourage respect, professionalism, and healthy boundaries.
I joined Stacklok because I really believe in our innovative approach to security management. Working with colleagues that I trust, admire, and share the same work ethic made a difference. I love being part of a dynamic environment and working on an amazing project from the beginning.