A community-centric software security platform

Minder Cloud helps open source developers and communities use open source security tools and standards to continuously secure their software projects, and provide proof of that security to their downstream consumers. It is free to use for public repos.

Overview

Minder Cloud makes it easy to apply and continuously enforce security policies and best practices that keep your software delivery lifecycle safe—from your source code repositories and open source dependencies to your CI/CD pipelines and build artifacts.

Blog

Announcing Minder Cloud: A fully managed software security platform for open source communities

Minder Cloud: Key capabilities

Consistently configure source code repos

Maintainers and project owners often use spreadsheets to try to manage repo configuration, and manually monitor them to make sure those settings are in place. Minder automates this by enabling you to apply and consistently enforce the same set of policies across a group of project repos.

Find safer open source dependencies

Minder not only flags dependencies in pull requests that have known CVEs or that pose a supply chain risk, but it also can provide a list of safer alternatives so that you can easily find a different package to use. Minder integrates with Trusty, a free-to-use service by Stacklok, to enforce policy around safe dependency usage.

Build tamper-proof container images

Minder uses the open source project sigstore to help developers cryptographically sign their software artifacts and produce a legitimate source-of-origin claim, or provenance statement. These statements provide assurance to consumers that the package is what it says it is, and hasn’t been altered by a malicious actor.

Secure GitHub Actions and CI/CD pipelines

GitHub Actions, like open source dependencies, are common vectors for supply chain attacks. Minder helps you implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (and can even automatically do this for you!).

Secure AI-generated code

Because of the data it's trained on, AI-generated code from tools like GitHub Copilot may contain deprecated or unsafe dependencies, or leaked secrets from your files. Use Minder in Copilot-enabled repositories to help ensure that code completion suggestions contain safe, non-malicious dependencies and are always scanned for leaked secrets.

What makes Minder Cloud different?

Dependency supply chain risk

Minder integrates with Trusty to flag PRs with dependencies that have high supply chain risk, based on factors like whether they're malicious, have low repo activity, or lack proof of origin through sigstore.

Platform extensibility

Create custom policies to apply to your repositories, optionally choosing from a Stacklok-provided set of rules. Write policies as code in yaml or the Rego policy language.

Community-aligned policies

Minder Cloud's managed policy templates help you use open source tools to secure your source code repos, CI/CD pipelines, build artifacts, and dependencies.

Developer-centric workflows

Minder Cloud helps developers catch and address security risks as early as possible, and in their native workflows. It can auto-remediate issues by commenting on or opening PRs with a proposed fix.

Security insights

Based on established security best practices, Minder Cloud can scan your repositories and provide suggestions for ways to make them more secure that you can put in place with just one click.

Automatic remediation

Minder Cloud proactively monitors your projects and can automatically take action to bring something back into compliance. Auto-remediation actions include re-enabling a disabled setting; and opening or commenting on PRs.

Blog

Applying lessons learned from building Kubernetes to software supply chain security

FAQ

FAQs about Minder Cloud

Learn more about Minder Cloud and its capabilities.

Minder Cloud is for open source developers and communities who want to better secure their projects and protect them from malicious attacks. It provides an alternative to developers and communities who prefer to use and support open source tools to keep their projects safe. Unlike traditional security platforms, Minder Cloud takes a more holistic approach to addressing supply chain security, focusing on risk factors beyond CVEs in the SDLC that can leave projects vulnerable to software quality and security issues and impact downstream adoption.

Minder Cloud is Stacklok’s fully managed version of Minder, an open source security platform. It provides an alternative for open source developers and communities who do not want to run and manage their own Minder server.

Minder Cloud includes the same features as the open source version, as well as a UI and other features for added security and ease of use, like managed policy templates and security insights.

Minder Cloud makes it easy to apply and continuously enforce security policies and best practices that keep your software delivery lifecycle safe—from your source code repos and open source dependencies to your CI/CD pipelines and build artifacts. It can also help you generate attestation statements to prove that your software was built in a secure way.

Because developers rely on open source to build their apps, malicious actors are increasingly using open source as an attack vector. This is leading to more scrutiny and government regulation of open source security. Open source maintainers and contributors are often volunteers, working nights and weekends on their projects. They don’t have extra time or dedicated security teams to continuously monitor the security of their projects and catch issues before they harm consumers and hinder adoption.

Minder Cloud helps open source communities protect their projects, without needing to have deep security expertise or manage yet another platform. To do this, it provides managed policy templates with security best practices that project owners can easily apply across their SDLC to keep their projects safe. Once policies are applied, Minder will continuously monitor projects for issues, and can automatically remediate to fix issues before PRs are merged or artifacts are built.

Stacklok has committed to making Minder Cloud free forever for use on public repositories.

No. Minder Cloud actually makes it easier to adopt and comply with OpenSSF Scorecard standards, many of which are included in our managed policy templates.

Yes. Minder integrates with GitHub’s built-in tools, CodeQL and Dependabot, respectively. Additionally, you can use Minder to check pull requests for dependencies with known vulnerabilities from the Open Source Vulnerabilities database. Beyond scanning for vulnerabilities, though, you can also use Minder’s Trusty integration to check PRs for dependencies that are known or suspected to be malicious or deprecated, or that don’t follow security best practices (for example, they haven’t been signed using sigstore). In the future, we plan to integrate with additional SAST and SCA tools.

Check out our documentation here!

Resources

Featured Content

Driving safe and sustainable open source consumption with two new Stacklok capabilities

Announcing the Proof-of-Diligence (PoD) algorithm: A method of modeling trust and maintainability in open source ecosystems

Software Supply Chain Security (S3C) Weekly

For Developers

Find and evaluate open source packages

For Open Source Communitites

Secure and govern software projects