We have designed Tidelift to be flexible to ensure simplicity and ease of integration into your organization’s existing workflows.
Here are some of the most common places organizations integrate Tidelift open source intelligence:
- For open source approval workflows that feed into developer dashboards
- As part of the continuous integrations pipelines to augment other checks
- Into internal reporting, business intelligence, and compliance analytics tools
For open source approval workflows that feed into developer dashboards
Most organizations have some basic processes in place to evaluate open source packages before they are approved for use. Tidelift significantly improves this evaluation process by bringing unique insights to the process. Below we describe how best to bring Tidelift’s package insights into existing workflows.
An organization with a small volume of open source package reviews
If your organization is just doing periodic review, whether by the security team, the legal team, or the Open Source Program Office (OSPO), Tidelift makes it easy to get answers about license type, version information, the maintainer(s), the software development practices a package is following, and more—just by looking up the package in the Tidelift user interface. Tidelift evaluates nearly all of the packages our customers use against a variety of metrics, and presents this information in an easy to use interface.
Figure 1: Example of open source package intelligence via Tidelift web UI
An organization with a high volume of open source package reviews
For organizations that need a higher volume of access, or just don’t like clicking around UIs, Tidelift also provides this data via a simple REST API that can be called from any programming language and integrated into the requests that are already being handled.
Using the API to integrate Tidelift into your workflows gives you access to the same kinds of checks you’d find in the UI to help make smart decisions, including:
- The license of the package
- Whether it shows maintenance activity, or whether it’s deprecated
- Whether it’s responsive to security issues
- The release history of the package
- Whether the maintainers are receiving income for their work
- and more
Figure 2: Example of open source package intelligence via Tidelift API
The API output also includes all of the underlying criteria that goes into data fields for deeper analysis.
In addition to using these insights to evaluate and approve which open source packages developers should be using, this data from Tidelift can also be used to make suggestions to developers. If, for example, your developers are looking for a new python HTTP library, using Tidelift, you can suggest the most popular, most well maintained packages that align with organizational requirements.
As part of the continuous integrations pipelines to augment other checks
Getting important information directly in front of developers as they’re developing is a key way to increase developer velocity.
Tidelift makes it easy to bring information directly to developers so they can see when their dependencies have risks, and determine best how to address them. By putting Tidelift’s package insights in front of developers, you can enable them to make better decisions.
Separately, many organizations check their software’s risk level in their continuous integration/continuous delivery pipeline. Each time they build their software, they assess it for issues using various scanning tools, and feed those results into their risk analysis or business intelligence tooling.
Tidelift brings proactive indicators of future risk into this process. When running a build in your CI/CD platform, you can also query Tidelift for information about the components in the build. This information can then augment other reports, and be imported into the same tooling, whether that’s your DevSecOps’s prioritization pipeline, your issue reporting tool, or your internal dashboards.
Into internal reporting, business intelligence, and compliance analytics tools
Customers have incorporated Tidelift into their business intelligence and risk analysis tools. These tools draw data from diverse sources, including software scanners, public repositories such as the National Vulnerability Database (NVD), and internal business metrics. The resulting insights are commonly utilized by CISOs and C-suite executives to understand the organizational risks associated with the software they consume and build, and by engineering leads as they plan and prioritize upgrades.
Insights from Tidelift such as the security standards being implemented, along with license information, and the ability to identify unmaintained or deprecated packages are valuable for organizations to assess not only current, but latent and future risks associated with open source software. Tidelift works with organizations to sequence our APIs such that their business intelligence and risk analysis tools are continuously updated with the latest insights on all of the open source software they might be interested in.