How to reduce open source risk with Tidelift's web UI and CLI

Know what's in your applications

In order for Tidelift to identify risk in your applications, Tidelift needs to know which open source components are being used in your applications. Our tools achieve this through SBOMs (software bills of materials) or manifest files. For a full list of support file types, see our supported ecosystems.

Tidelift CLI

The vast majority of our customers send SBOMs to Tidelift through the CLI in the CI/CD pipeline. By adding the alignment save command to your CI/CD process, Tidelift can locate the manifest file, upload it to the correct project, and generate the SBOM for that build. 

Alignments can also be run manually in the terminal by any developer using the same command. 

Tidelift UI 

The Tidelift UI does support uploading manifest files and SBOMs, but it is a much less common use case. If you have any questions about this process, please reach out to our support team. By clicking "Upload new" on a given project, the application will walk you through uploading a manifest file or SBOM and will then begin the alignment process. 

Identify what to monitor

The standards capability within the Tidelift UI can be used to monitor specific package criteria such as license types, version age, package maintenance status and more. These criteria are an early indicator of a risky package and should be constantly monitored. Several standards are enabled by default for new organizations, but you can customize which ones are enabled to match your organization's risk profile.

Risk Reduction

In order to begin reducing the risk currently present in your applications, you'll start with a report that lists all releases in use that violate your chosen standards: the All projects violations report. This report contains all standards violations along with recommendations about the upgrades necessary to remove risk associate with these violations. This report can be downloaded or accessed via API as well. You can then filter or split the report results to send the right violations to the right teams to prioritize and work through.  

Was this article helpful?
0 out of 0 found this helpful



Article is closed for comments.

Articles in this section