About catalogs

The Tidelift Subscription allows you to set up a catalog for your organization.

The catalog represents all of the open source packages and package versions approved and denied for use in your organization’s production environment.

A catalog is made up of the packages that are approved-for-use at your organization, improving organizational alignment and developer experience when using open source. Catalogs also include packages that are denied-for-use at your organization, creating an auditable log of the denial reason(s) and date.

Catalog benefits

• Version guidance so that you can ensure that only pre-approved packages are being used in production environments.
• Centralized issue resolution workflows to streamline and automate updating the catalog. (e.g. when there are new security vulnerabilities, licensing issues, or requests from your team to start using new packages).
• Standardized open source release management, to reduce the complexity of managing your open source supply chain.

Catalog features

• Package releases can be imported or requested to be added to your catalog
• Standards determine what can and cannot be approved in your catalog. Standards include reviewing security vulnerabilities, enforcing license compliance, and not using deprecated packages.
• Tasks help your catalog administrator keep things in compliance with standards
• Overrides offer flexibility for a package to be approved that may not fit all of your standards
• Activity feed helps you audit changes to your catalog over time

Ways to use the catalog

• Align your projects so that they only use approved open source packages from the catalog.
• Provide developers with tools in their command line so they can align package releases in their repository with what’s approved in the catalog.
• Integrate catalog alignment with your CI/CD pipeline.

Note on user roles

There are two different user roles that can be assigned to users in the Tidelift web app: administrator and member.

An administrator has the ability to create and manage a catalog. They are responsible for approving new package requests, reviewing tasks, and managing the catalog. Administrators can save themselves a lot of time because Tidelift provides verified license information and security vulnerability recommendations. They can further simplify their work by setting up license standards for their organization.

A member is an individual who will be using the approved package releases within your organization’s catalog. They will be able to request new package releases, and will be guided to using the approved releases within your catalog. If you are a developer, see a developer's guide to catalogs.