How to monitor open source packages with Tidelift's web UI and CLI

Whether you're an engineering manager or a security professional, one of your goals is to constantly reduce risk in your organization. In this article, we'll show how you can use Tidelift's web UI and CLI to find risk from bad packages in your organization and then build a plan to address it.

When monitoring applications in Tidelift, there are two big topics to address: knowing what's inside your applications and identifying what you want to monitor.

Know what's in your applications

In order for Tidelift to monitor what's in your applications, Tidelift needs to know what is being used in your application. Our tools do this through SBOMs (software bills of materials) or manifest files. For a full list of support file types, see our supported ecosystems.

Tidelift CLI

The vast majority of our customers send SBOMs to Tidelift through the CLI in the CI/CD pipeline. By adding the alignment save command to your CI/CD process, Tidelift will locate the manifest file, upload it to the correct project and then generate the SBOM for that build. 

Alignments can also be run manually in the terminal by any developer using the same command. 

Tidelift UI 

The Tidelift UI supports uploading manifest files and SBOMs, but it is a much less common use case. If you have any questions about this process, please reach out to our support team. By clicking "Upload new" on a given project, the application will walk you through uploading a manifest file or SBOM and will begin the alignment process. 

Identify what to monitor

The standards capability within the Tidelift UI can be used to monitor specific package criteria such as license types, version age, package maintenance status and more. These criteria are an early indicator of a risky package and should be constantly monitored. Several standards are enabled by default for new organizations, but you can customize which ones are enabled to match your organization's risk profile. 


Once you have enabled standards and have sent manifest files to Tidelift, you'll receive a full list of the package releases in your applications that violate your selected standards. In the Tidelift UI, this list is obtained from the Catalog standards violations report. This and all other reports can be found on the Reports tab of the Catalog

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section