Open source standards

Standards configuration ("policy settings") are how catalog administrators decide what open source packages and releases are allowed to be used. These are configured by default to make decisions automatically, so that you only review tasks for policy violations that you care about. These decisions are logged in the catalog audit report ("audit trail").

Some customers may choose to have additional oversight on the decisions. If you choose to turn on task review for a given standard, you can expect to receive tasks to review. Each of these tasks will need your catalog administrator to close the task on a per-release basis. Use caution when selecting this option, as this will generate potentially thousands of review tasks to close out.

Standards configuration

Enabling a standard

When you enable a standard, Tidelift checks releases for violations of this standard. By default, administrator review is not required, and releases or packages, with violations will be denied.

Tidelift-policy-config.png

Optional settings

'Create a task' setting

When this is enabled, a task will be created when violations are found. This task will require catalog administrator review and to close out the task with a decision. You must choose to keep or override the decision the system made for you.

Allow the use

When this is enabled, Tidelift won’t deny the release or package due to violations of the standard. The violation will be allowed for the release or package and Tidelift will track the violation in your catalog.

The end result

The end result is a clear list of approved and denied decisions on releases and packages for developers consult. There is also a living record of the decisions that were made about the open source you use. You can use this list to track developer compliance with your policies, and engineering, security, and compliance teams can use the catalog’s record of decisions in their respective workflows.


 

How policies are applied — technical details

  1. A release of a package is added to your catalog.
  2. The release is evaluated against your standards ("policies"). Each standard you configure represents a different type of issue you’d like Tidelift to check for. For each issue found, Tidelift creates a violation.
  3. Each violation is automatically given an allowed or not allowed decision based on your standards configuration.
  4. Tidelift reviews all of the violation decisions and assigns a release or package status of approved or denied. A release may have many violations that are allowed or not allowed, but it can only have one release status: approved or denied.
  5. Tidelift continuously monitors the release for new violations or changes to existing violations and automatically updates the release status accordingly.

In order for a package or release to be marked as approved, it must be violation-free, or all of the violations must be allowed through overriding each violation decision.

Tidelift will make decisions to allow or not allow violations automatically based on how you configure your catalog standards. If you want to force a release to always be denied, you can block releases.

 

 

 

Was this article helpful?
0 out of 0 found this helpful

Articles in this section