Stacklok logo
Home
Products
Minder Trusty
Company
About Careers Open Source Press
Resources
Blog Videos Trusty Docs Minder Docs View all resources
Contact
Login

A new approach to software security

Malicious attacks are becoming more sophisticated, and AI is making it easier and faster for attackers to execute them. We need new ways to detect and prevent supply chain attacks. Stacklok is developing new tools and approaches, in alignment with open source communities.

New from Stacklok: Minder Cloud
Sign up now
Video Overview

Learn more about our approach

This video explains how Stacklok's products, Trusty and Minder, work together to help secure your software supply chain and proactively protect your software projects from malicious attacks.

Minder Cloud

Minder Cloud helps open source developers and communities use open source security tools and standards to continuously secure their software projects, and provide proof of that security to their downstream consumers.

Learn More

Consistently configure source code repos

No more manual configuration and spreadsheets. Use Minder Cloud to apply and consistently enforce the same set of policies across a group of project repos.

Find safer open source dependencies

Minder flags dependencies in pull requests that have known CVEs or high supply chain risk, and provides a list of safer alternatives to help developers find a different package to use.

Secure GitHub Actions and CI/CD pipelines

Implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (Minder can even do this automatically for you!). 

Daniel Finneran

Isovalent

"We had well over 100 repos at one point, and all needed some level of review. It would be ideal to be able to set a basic security standard for repos, automate as much as possible, and have remediation steps."

Blog

Announcing Minder Cloud: A fully managed software security platform for open source communities

Continue Reading

Make safer dependency choices

Trusty makes it easier for developers to understand whether an open source package is authentic, non-malicious, and actively maintained. It's free to use and accessible as a web app and as a Visual Studio Code extension.

Learn More

Activity scoring

Get quick signal with our Trusty Score, which establishes a benchmark for average levels of activity based on statistical analysis of public GitHub package data.

Package provenance

When artifacts have been signed using Sigstore, Trusty displays a verifiable chain of trust back to the source code so that you know the package is what it says it is.

Package recommendations

Trusty uses generative AI to provide a list of related packages and their scores, so that you can find and evaluate other packages if you need a safer option.

Matt Klein

Founder, Envoy proxy

“Package activity is a key predictor of its health and safety. That's why Envoy's policy on external dependencies includes evaluation factors like number of commits in the last 90 days, release notes, and whether other projects depend on it, so that we can make safe choices."

Above: Prototype of the Package Graph view of the next.js project

New: OSS Trust Graph private beta

The OSS Trust Graph, a new capability of Trusty, is a way to model trust in open source ecosystems. It maps the connections between open source contributors and projects, and, through a “proof-of-diligence” algorithm, uses that data to build an understanding of the relative safety and sustainability of those projects. 

It can be used to:

  • Identify malicious activity: Identify when a number of relatively unknown individuals start to contribute to the same project, or when the behavior of a maintainer changes

  • Identify open source projects that need support: Identify when a high-contributing maintainer leaves a project, leaving it vulnerable; or when a high-scoring project has a low number of maintainers and could benefit from support and funding

Blog

Announcing the Proof-of-Diligence (PoD) algorithm: A method of modeling trust and maintainability in open source ecosystems

Continue Reading

Software Supply Chain Security (S3C) Weekly

A free weekly newsletter about software supply chain security. We cover security incidents, security tips, free and OSS tools, and updates on community and public sector initiatives you should know about. Brought to you by Stacklok.

Subscribe Now

Latest News

Driving safe and sustainable open source consumption with two new Stacklok capabilities

Craig McLuckie /
Apr 17, 2024
Continue Reading

Announcing the Proof-of-Diligence (PoD) algorithm: A method of modeling trust and maintainability in open source ecosystems

Luke Hinds / Pankaj Telang /
Apr 17, 2024
Continue Reading

Announcing Minder Cloud: A fully managed software security platform for open source communities

Edward Thomson /
Apr 17, 2024
Minder
Continue Reading
Newsletter

Stay in the loop

Subscribe to our newsletter for the latest news about our products and about open source supply chain security.

Stacklok logo
© 2024 Stacklok
Privacy Policy
Main Menu
Home About Careers Contact
Products
Trusty Minder
Resources
All Resources Blog Videos Trusty Docs Minder Docs
Contact Us
hello@stacklok.com