Tidelift analyzes applications to check direct and transitive dependencies for problems with your open source dependencies. When a dependency is flagged for not meeting the standards (or "policies") you've configured, it's called a "standards violation".
To analyze your applications against your standards, you must have projects created. “Projects” are what Tidelift calls an individual application or repository in your organization.
You can do this easily by generating API keys, configuring in your build pipeline stages, and calling the Tidelift CLI to run an alignment. This is called an ‘alignment’ because it is checking the project dependencies to see how closely they align with your standards.
This allows the pipeline to check the codebase for introduced issues, such as:
- A newly discovered vulnerability
- An addition of an end-of-life or deprecated package
- A violation of your licensing standard
💡 Are you looking for vulnerability, package health, or licensing data? |
Automate access
Generate API key
To begin, create a single org-wide API Key for CI integration from Organization settings > API keys. This key will allow you to create at scale projects, and project alignments that check for dependency policy violations.
Add to your CI/CD pipelines
From here, you can add calls to Tidelift from any build pipeline process from early feature PRs to production builds.
CI/CD automation reference examples:
Tidelift will now monitor each added package, and release, continuously to detect policy violations.