This article covers the major capabilities available with your Tidelift Subscription, and some of the tradeoffs that might inform which of them you choose to use.
Questions to consider
- Do you already have an open source assessment tool or process?
- If so, you might lean toward pulling data into other tools to pull Tidelift data into an existing process, and upstream risk mitigation which is largely independent of any software process.
- Do you already have a tool which generates software bills of material (SBOMs)?
- If so, you may wish to use pulling data into other tools to intersect Tidelift's data with those existing SBOMs, or upload those existing SBOMs into SBOM tracking to generate metrics and reports.
- Do you have a dedicated team or individual reviewing open source package adoption?
- If you already conduct or wish to conduct open source package review, Tidelift’s custom policy features and workflows could be more efficient than spreadsheets, email, and JIRA.
Pulling data into other tools
You can integrate Tidelift's data insights into a custom internal review system, security tool, business intelligence dashboard, or even a spreadsheet, as part of your overall open source risk mitigation strategy.
Advantages
- No new tool for teams to look at
- No need to worry about user accounts and permissions
- No need to store SBOMs in the cloud
- Total flexibility and no vendor stack lock-in
Tradeoffs
- Requires up-front clarity on goals and how data will be used
- Up-front integration cost
SBOM Tracking
You can opt to store software bills of material (SBOMs) in Tidelift’s SaaS system, for example on each CI build.
Advantages
- Keep a browsable history of your project dependencies
- Tidelift tracks key metrics about dependencies over time
- Tidelift analyzes violations and bad packages in each SBOM without the need to maintain your own code to check SBOMs against available data
Tradeoffs
- Extra CI step or other script to extract and record dependencies
- Stores dependencies in a cloud SaaS system
Custom policy
Note: custom policy is built on SBOM Tracking. All tradeoffs from SBOM tracking also apply.
You can adopt the custom catalog feature to configure open source standards exactly for your organization.
Advantages
- Allows you to focus on only certain problems and ignore others.
- Makes it realistic to block builds because you can customize which problems you consider “show stopper.”
Tradeoffs
- You are limited to our out of the box set of policy and policy configurations.
- Unifying data from other dependency analysis tools within Tidelift is not supported today. (You could accomplish this by sending our dependency data out to your other tooling.)
- Most organizations can make a lot of useful progress without going violation-by-violation and rule-by-rule.
- There’s a substantial amount of work involved if you choose to review each individual problem, manage lists of overrides to general rules, and block builds. We recommend knowing who will do this work.
Upstream investment and risk mitigation
You can keep your at-risk dependencies maintained and avoid future end-of-life scenarios by shoring up projects at risk of abandonment. Abandoned open source projects are extremely common!
Advantages
- No extra work. Tidelift can use any package data you consistently query, the SBOMs you upload, or even a list directly from you to guide which open source projects to support. This happens behind the scenes on your behalf. We ensure that your entire dependency graph has income available, and we recruit maintainers to partner with us and reliably improve your software.
- You will see actual results from this investment. We will show you through a report, and in the product experience, the impact your financial investment has on the quality of your software.
Tradeoffs
- It is necessary to communicate (via SBOM tracking or API usage or account management conversations) which packages you care about most, for Tidelift to review.