Tidelift analyzes package manager manifest and lockfiles (usually from a source code repository), as well as software bills of material in CycloneDX and SPDX format.
To collect and explore SBOMs, you must have projects created. “Projects” are what Tidelift calls an individual application or repository in your organization.
You can do this easily by generating API keys, configuring in your build pipeline stages, and calling the Tidelift CLI.
For tracking risk in your organization, Tidelift recommends tracking the versions of software that are deployed in your environment. Generally, this would be the main
or production
branch of your source control repository.
Create a new project
- Ensure you are authenticated to use Tidelift CLI with your User or Organization API Key.
- Go to the root directory of your local software project / source control repository.
- Run
tidelift projects new
in the root directory of the project. You will need to provide a name for the project.
Upload a manifest to track dependencies
- Ensure you are authenticated to use Tidelift CLI with your Organization or Project API Key
- Run
tidelift alignment save
in the root directory of the project. This will upload any discovered manifests, analyze the dependencies, and create your bill of materials.
How to track projects at scale across your organization
Using a periodic sync process with Tidelift
If you have access to your source control hosting system, it is straightforward to perform a periodic sync of your repositories with Tidelift.
For example, a scheduled task every day could:
- Install the Tidelift CLI
- Check out the main branch of each repository that is tracked, and:
- Run
tidelift projects new
to create the project (ignoring any errors if it already exists) - Run
tidelift alignment save
in the root directory of the project.
- Run
This ensures your bills of material are up-to-date.
Using Tidelift within Continuous Integration (CI)
By integrating the Tidelift CLI inside your continuous integration (CI) environment, you can automatically create new bills of materials every time your software is built.
Tidelift provides sample integration scripts for many common CI environments. To learn more about how to use Tidelift within your CI environment, see Using Tidelift with CI.
Tidelift is available to help
Tidelift support is available to ensure that you are successful at scale. Contact Tidelift support for more detailed information on how to integrate at scale in your environment, get sample integration scripts, and more.