A new approach to software security

Malicious attacks are becoming more sophisticated, and AI is making it easier and faster for attackers to execute them. We need new ways to detect and prevent supply chain attacks. Stacklok is developing new tools and approaches, in alignment with open source communities.

New from Stacklok: Minder Cloud

Sign up now

Video Overview

Learn more about our approach

This video explains how Stacklok's products, Trusty and Minder, work together to help secure your software supply chain and proactively protect your software projects from malicious attacks.

Minder Cloud

Minder Cloud helps open source developers and communities use open source security tools and standards to continuously secure their software projects, and provide proof of that security to their downstream consumers.

Learn More

---

Consistently configure source code repos

No more manual configuration and spreadsheets. Use Minder Cloud to apply and consistently enforce the same set of policies across a group of project repos.

Find safer open source dependencies

Minder flags dependencies in pull requests that have known CVEs or high supply chain risk, and provides a list of safer alternatives to help developers find a different package to use.

Secure GitHub Actions and CI/CD pipelines

Implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (Minder can even do this automatically for you!). 

Daniel Finneran

Isovalent

"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."

Make safer dependency choices

Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.

Learn More

---

Activity scoring

Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Matt Klein

Founder, Envoy proxy

“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."

Latest News

View All

Driving safe and sustainable open source consumption with two new Stacklok capabilities

Craig McLuckie /

Apr 17, 2024

Continue Reading

Announcing the Proof-of-Diligence (PoD) algorithm: A method of modeling trust and maintainability in open source ecosystems

Luke Hinds / Pankaj Telang /

Apr 17, 2024

Continue Reading

Announcing Minder Cloud: A fully managed software security platform for open source communities

Edward Thomson /

Apr 17, 2024

Minder

Continue Reading