Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
I’m excited to announce the launch of Minder Cloud, a fully managed software security platform that is free to use for open source developers and communities. Minder Cloud is a freely available version of our open source Minder project.
As attacks on open source increase—and attackers’ strategies move beyond just exploiting CVEs—it has never been more critical for open source communities to invest in keeping their software safe. But because open source maintainers and contributors are often unpaid and working on projects in their free time, we have to do this in a way that doesn’t increase their burden or require them to take on yet another job as security engineers.
When we launched the open source platform Minder back in November 2023, our goal was to make it easier for open source developers and communities to use community security tools to continuously secure their projects, and provide proof of that security to their downstream consumers. That goal hasn’t changed, but now we’re making it even easier for them to adopt Minder, by launching a fully managed version with an easy-to-use UI.
Minder Cloud is currently in alpha, and anyone can sign up and start using it today. It’s available at no cost for public repositories. We are committed to making Minder Cloud free for public repositories forever, because we believe that open source communities need free and open access to tools to help them keep their software safe.
Above: An example of a managed policy template in Minder Cloud
Minder Cloud makes it easy to apply and continuously enforce security policies and best practices that keep your software delivery lifecycle safe—from your source code repositories and open source dependencies to your CI/CD pipelines and build artifacts. We think open source developers and communities can benefit from Minder Cloud in the following ways:
Consistently configure your project repositories: Open source maintainers often use spreadsheets to try to manage repo configuration, and have to manually monitor repositories to make sure those settings are in place. Minder automates this by enabling you to apply and consistently enforce the same set of policies across a group of project repositories.
Use safer open source dependencies: Minder not only flags dependencies with known CVEs or that pose a supply chain risk, but it also can provide a list of safer alternatives right in your PR so that you can easily find a different package to use. Minder integrates with Trusty, a free-to-use service by Stacklok, to enforce policy around safe dependency usage. As of today, Trusty includes a new beta feature, the OSS Trust Graph, that can help communities understand the relative safety and sustainability of a project based on its network of contributors.
Secure GitHub Actions and CI/CD workflows: GitHub Actions, like open source dependencies, are also common vectors for supply chain attacks. Minder helps you implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (and can even automatically do this for you!).
Build tamper-proof container images: Minder’s sigstore integration allows you to programmatically check to make sure all of your container images are signed, providing cryptographic proof of how they were built and preventing malicious actors from tampering with them.
Secure AI-generated code: You can use Minder in Copilot-enabled repositories to help ensure that code completion suggestions contain safe, non-malicious dependencies and are always scanned for leaked secrets.
Both the open source version of Minder and Minder Cloud help open source developers and communities adopt and advance community security tools and frameworks, like sigstore, OSV.dev, Trivy, and GitHub-native security features, to name a few. We’ve heard from many maintainers that it’s not always easy or straightforward for them to adopt these technologies along with their unique security practices—and especially to do that consistently, across all of their GitHub repositories.
Let’s take a look at Minder’s core platform capabilities that make this easier.
Minder’s policy templates help you easily adopt free and open source tools and security best practices to keep your project safe. Minder Cloud currently includes managed policy templates for:
With Minder Cloud, you can apply these policy templates in one click.
Minder Cloud also provides security insights with policy recommendations based on best practices:
In a way that is similar to Kubernetes, Minder proactively monitors your projects and, in many cases, can automatically take action to bring something back into compliance. Remediation actions include opening a PR or commenting on a PR with a proposed fix. These actions are intentionally aligned with developer workflows, to make it easier for contributors to fix security issues in the moment and move on, without having to come back later after their code has already been merged.
Minder supports creating custom “profiles”, which are a collection of rules, or policies, to apply to your repositories. You can select from a Stacklok-provided set of rules or define your own rules to apply your own unique security policies. Minder supports writing custom policies as code, in yaml or the Rego policy language. Additionally, you can use Minder’s API to integrate policy checks into your software delivery process.
In addition to the full set of features already available in the Minder open source platform, we’ve added the following new capabilities to Minder Cloud:
Fully hosted installation. No need to run and manage your own Minder server (unless you want to—in which case, see our docs here).
Easy-to-use UI. Minder Cloud includes a UI to make it easier to get started with Minder, from registering your repositories to applying and managing policies across your repos.
GitHub Marketplace integration. Install Minder Cloud as an app on the GitHub Marketplace, to get started without leaving GitHub.
Managed policy templates. Minder Cloud provides managed policy templates that you can apply in one click to secure your source code repositories, dependencies, GitHub Actions workflows, and build artifacts.
Security insights. Based on established security best practices, Minder Cloud can scan your repositories and provide suggestions for ways to make them more secure.
Minder Cloud is currently in alpha, and project owners can start using it immediately for free. We are committed to making Minder Cloud free forever for public repositories, because open source communities need free and open access to tools to help them keep their software safe.
We look forward to hearing your feedback!
Edward Thomson
Product Manager
Edward is a product manager at Stacklok, overseeing product strategy for Stacklok's products, Minder and Trusty. Prior to Stacklok, he was Director of Product Management at Vercel, and a product manager at GItHub focused on GitHub Actions and npm.