About catalogs

The Tidelift Subscription allows you to set up a catalog for your organization. The catalog represents all of the open source packages and package versions approved and denied for use in your organization’s production environment.

A catalog is made up of the packages that are approved-for-use at your organization, improving organizational alignment and developer experience when using open source. Catalogs also include packages that are denied-for-use at your organization, creating an auditable log of the denial reason and date.

Benefits of creating a catalog with Tidelift

• Version guidance so that you can ensure that only pre-approved packages are being used in production environments.
• Centralized issue resolution workflows to streamline and automate updating the catalog. (e.g. when there are new security vulnerabilities, licensing issues, or requests from your team to start using new packages).
• Standardized open source release management, to reduce the complexity of managing your open source supply chain.

Features that support package release management

• Package releases that can be imported or requested to be added to your catalog
• Standards can help determine what can and cannot be approved in your catalog, such as:
  • Security vulnerabilities
  • Enforcing license compliance
  • Not using deprecated packages
• Catalog tasks can help your catalog administrator keep items in compliance with standards
• An activity feed that helps you audit all changes to your catalog

Using your catalog

• Align your projects so that they only use approved open source packages from the catalog
• Provide developers with tools in their command line so they can align package releases in their repository with what’s approved in the catalog
• Integrate catalog alignment with your CI/CD pipeline so that only approved open source gets used in production

Note on user roles

There are two different user roles that can be assigned to users in the Tidelift web app: administrator and member.

An administrator has the ability to create and manage a catalog. They are responsible for approving new package requests, reviewing tasks, and managing the catalog. Administrators can save themselves a lot of time by using Tidelift as Tidelift already provides security vulnerability recommendations and licensing data. This delegates the management of thousands of the most common packages to Tidelift. They can further simplify their work by setting up license standards for their organization.

A member is an individual who will be using the approved package releases within your organization’s catalog. They will be able to request new package releases, and will be guided to using the approved releases within your catalog. If you are a developer, see a developer's guide to catalogs.