Automated application analysis

Tidelift analyzes applications to check direct and transitive dependencies for problems with your open source dependencies. When a dependency is flagged for not meeting the standards (or "policies") you've configured, it's called a "standards violation". 

To analyze your applications against your standards, you must have projects created. “Projects” are what Tidelift calls an individual application or repository in your organization.

You can do this easily by generating API keys, configuring in your build pipeline stages, and calling the Tidelift CLI to run an alignment. This is called an ‘alignment’ because it is checking the project dependencies to see how closely they align with your standards.

This allows the pipeline to check the codebase for introduced issues, such as:

  • A newly discovered vulnerability
  • An addition of an end-of-life or deprecated package
  • A violation of your licensing standard

  

      💡 Are you looking for vulnerability, package health, or licensing data?
      We don’t need to analyze or store your dependency information to provide this data!

      Please use our direct API access instead

 

Automate access

Generate API key

To begin, create a single org-wide API Key for CI integration from Organization settings > API keys. This key will allow you to create at scale projects, and project alignments that check for dependency policy violations.

 

Add to your CI/CD pipelines

From here, you can add calls to Tidelift from any build pipeline process from early feature PRs to production builds.

CI/CD automation reference examples:

Tidelift will now monitor each added package, and release, continuously to detect policy violations.

Was this article helpful?
0 out of 0 found this helpful

Articles in this section