Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Today, I’m excited to announce that Stacklok is contributing our Minder open source project to the Open Source Security Foundation (OpenSSF). Minder makes it simpler for developers and security teams to adopt a policy-based approach to open source software security; it reduces noise, alerts to risk only when necessary, auto-remediates inconsistencies and spans the entire software development lifecycle.
The OpenSSF is the perfect home for Minder, since the Foundation’s goal is to sustainably secure open source software. The community already includes a number of powerful projects. We created and contributed Minder to make those projects—all that innovation—easier to integrate and operate. In talking with organizations from across industries, we know there’s a strong interest in an open source software security platform that is actually open source. Leaders understand that the best way to strengthen their posture is by working more closely with the open source community. We’re convinced that Minder can bridge that gap.
“We believe organizations that adopt a policy-based approach to security are best positioned to stay steps ahead of threat actors,” said Bob Callaway, Head of Google's Open Source Security Team. “To that end, Minder brings a complementary set of capabilities to the OpenSSF Security Tools Working Group.”
Contributing Minder to an open source foundation is a crucial commitment from us. This commitment ensures that the community can not only adopt Minder, but also trust that it’s being developed under an open governance model, inside a foundation. We have always wanted OpenSSF to be that foundation, since we’re aligned on values, and also see the need for a community-centric platform capable of securing the software development lifecycle (SDLC)
We conceived Minder as an open source project from the beginning; but we also conceived of it as a platform, not just a project. My co-founder at Stacklok, Craig McLuckie, co-created Kubernetes, and just as Kubernetes proved an anchor point for cloud native computing, we recognized a similar need in open source software security.
Let me give you a concrete example: we use Minder as the platform that powers our Stacklok Cloud product. It ingests data from multiple integration sources, such as the OSV vulnerability databases, or our own open source dependency security intelligence service. It then uses a GitHub provider integration to use that data to gate pull requests that introduce new dependencies, and ensure they do not introduce risks such as vulnerabilities or malicious packages
But Stacklok Cloud is merely the product that we wanted to build with Minder. As we talked to different people in the community who were interested in using Minder within their organization, we saw that they had their own unique goals. But there were common trends: everyone wanted a platform capable of integrating different tools and services in the SDLC, so that they could evaluate different policies, and ultimately produce different remediations.
We designed Minder as a platform precisely to provide a “big tent” so that people could build their own tools and services on top of Minder, and address their specific security concerns as it relates to their SDLC. This means that you can take a vested interest in Minder, and have a say in its direction and evolution. An open governance model ensures that your voice is heard and you can help shape the future of Minder.
Our connection and commitment to the OpenSSF runs deep. First, Minder integrates with a number of OpenSSF projects. Minder uses the OSV data sources to provide vulnerability data about dependencies, and Sigstore to validate artifact signatures. We also provide a Minder profile – a set of policy rules – to help you understand and improve your OpenSSF Scorecard score.
Of course, working in the open source community means always contributing back. This is especially important to me, as my experience with the OpenSSF goes back to when I first contributed Sigstore to the Linux Foundation and later to the OpenSSF. After that, I served as a member of the OpenSSF Technical Advisory Council (TAC), and then as a Governing Board Member of the OpenSSF.
It’s not just me, though; this is a deep part of Stacklok’s culture. Many of us are involved in open source, and especially in open source security projects that are supported by OpenSSF. The Stacklok team consists of contributors and maintainers of projects like Sigstore, OpenVEX, Protobom and TUF.
When Craig and I started Stacklok, one of the first things that we did was to define our culture. When we did that, we defined our virtues, not our values. The difference is that a virtue is something that you live and demonstrate every day.
One of our virtues is that we “stand together”. This is true within the company – each individual has a superpower and bringing them together means that the team is more than the sum of its parts. But that’s also true of open source communities. The community is more than the sum of the projects within it.
We believe that if Minder is to succeed as an integration platform for other security tools, it must be a part of an openly governed organization. Minder needs to stand together with the other security tools. And to demonstrate that, we simply must contribute Minder to the OpenSSF. It wouldn’t be consistent with our company culture to do anything else.
We’re proud that OpenSSF has admitted Minder as a sandbox project, and allowed us to honor these commitments. I encourage you to start exploring Minder now—to use it or to contribute to it, visit https://github.com/mindersec/minder.
Luke Hinds
CTO
Luke Hinds is the CTO of Stacklok. He is the creator of the open source project sigstore, which makes it easier for developers to sign and verify software artifacts. Prior to Stacklok, Luke was a distinguished engineer at Red Hat.