<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=705633339897683&amp;ev=PageView&amp;noscript=1">

Validated open source package intelligence 

Does your organization rely heavily on open source software but struggle to understand how specific open source components might make you more susceptible to vulnerabilities and attacks?

Tidelift helps leading organizations address this challenge by providing first-party, human-researched insights on open source packages, powering the most informed decisions on which package and versions to use for development. 

 

HubSpot Video

Maintainer-validated insights and more, available only from Tidelift

Tidelift’s open source package intelligence data is researched and validated by Tidelift and our paid maintainer partners and available via the Tidelift Subscription. Tidelift automates the data collection, curates and structures the data, and provides APIs to easily integrate with existing workflows and business intelligence tools.

With the Tidelift Subscription, you’ll have access to:  

Untitled (50 x 50 px) (3) First-party maintainer-sourced data

Tidelift partners directly with the maintainers of thousands of the most popular open source packages and pays them to validate they follow secure development practices like those outlined by government and industry, such as the NIST Secure Software Development Framework (SSDF) and the OpenSSF Scorecards project. This provides organizations with unique first-party, maintainer-sourced insights such as: 

  • Who has publish privileges on upstream package managers? 
  • How is the package ensuring only those who should push releases, are the ones doing so?
  • Does the package have multi-factor authentication enabled for both contributing code and publishing releases?
  • Detailed recommendations on vulnerability handling:
    • Are there available workarounds?
    • Are there specific affected methods and access patterns for a vulnerability(such as whether it affects usage in development and testing, or only production)?
    • Are issues false positives, and why?

 

Explore our documentation

quality-checks-nourlb-541x574

 

image 69 (1)
Untitled (50 x 50 px) (6)Automated, structured, and centralized data

Tidelift aggregates data across multiple upstream package manager ecosystems and source repositories into a centralized and structured format. As part of this process, Tidelift enhances the data collected from various sources to produce insights such as: 

  • List of releases and release dates
  • Upstream license information
  • Upstream source repository location
  • Per-release dependencies, as specified in package manager metadata
  • Source repository maintenance (last commit date, contributions, issues, and pull requests over the past year)
  • OpenSSF scorecard information (whether releases are signed, whether binary artifacts are present, and more)

 

Explore our documentation

Untitled (50 x 50 px) (2)-1Tidelift human-researched data

The upstream data is analyzed and further researched by the Tidelift data science team with the aim of providing more contextualized insights for our customers. Packages and releases are analyzed on a number of criteria, producing insights such as: 

  • Is the package actively maintained?
  • Is there a security policy for the package?
  • Has the package been deprecated?
  • Is a new version a release or a prerelease?
  • Is the release affected by any vulnerability?
  • Has the release been removed from upstream?
  • Is the release more than 7 years old?
  • Is the maintenance team responsive to security issues?

 

Explore our documentation

Screenshot 2023-09-08 at 1.36.55 PM

 

Learn how our customers use this data to drive better decision-making, which results in more efficiency and increased autonomy for development teams.

The benefits of validated open source package data

Open source intelligence data at scale

Gathering open source information one package at a time is painstaking, time consuming, and expensive. Tidelift has built a unified, cross-ecosystem  data model at scale, across millions of open source packages.

Reduce time spent analyzing packages and make better decisions

Gain first-party data about secure software development practices, release guidance, licensing information, and more, validated by Tidelift and our paid maintainer partners.

Data where you need it

Access these insights via APIs, with the flexibility to pull it into your preferred workflows and tools.