Trusty is a free-to-use web app that provides data and scoring on the supply chain risk for open source packages.
Minder Cloud helps open source developers and communities use open source security tools and standards to continuously secure their software projects, and provide proof of that security to their downstream consumers. It is free to use for public repos.
Minder Cloud makes it easy to apply and continuously enforce security policies and best practices that keep your software delivery lifecycle safe—from your source code repositories and open source dependencies to your CI/CD pipelines and build artifacts.
See how to apply security policies across multiple GitHub repositories, and how Minder Cloud can auto-remediate configuration drift and save developers time by re-enabling repository settings, opening and commenting on pull requests, and requesting changes.
Maintainers and project owners often use spreadsheets to try to manage repo configuration, and manually monitor them to make sure those settings are in place. Minder automates this by enabling you to apply and consistently enforce the same set of policies across a group of project repos.
Minder not only flags dependencies in pull requests that have known CVEs or that pose a supply chain risk, but it also can provide a list of safer alternatives so that you can easily find a different package to use. Minder integrates with Trusty, a free-to-use service by Stacklok, to enforce policy around safe dependency usage.
Minder uses the open source project sigstore to help developers cryptographically sign their software artifacts and produce a legitimate source-of-origin claim, or provenance statement. These statements provide assurance to consumers that the package is what it says it is, and hasn’t been altered by a malicious actor.
GitHub Actions, like open source dependencies, are common vectors for supply chain attacks. Minder helps you implement GitHub-recommended best practices like limiting workflow permissions and pinning actions to commit SHAs (and can even automatically do this for you!).
Because of the data it's trained on, AI-generated code from tools like GitHub Copilot may contain deprecated or unsafe dependencies, or leaked secrets from your files. Use Minder in Copilot-enabled repositories to help ensure that code completion suggestions contain safe, non-malicious dependencies and are always scanned for leaked secrets.
Minder integrates with Trusty to flag PRs with dependencies that have high supply chain risk, based on factors like whether they're malicious, have low repo activity, or lack proof of origin through sigstore.
Create custom policies to apply to your repositories, optionally choosing from a Stacklok-provided set of rules. Write policies as code in yaml or the Rego policy language.
Minder Cloud's managed policy templates help you use open source tools to secure your source code repos, CI/CD pipelines, build artifacts, and dependencies.
Minder Cloud helps developers catch and address security risks as early as possible, and in their native workflows. It can auto-remediate issues by commenting on or opening PRs with a proposed fix.
Based on established security best practices, Minder Cloud can scan your repositories and provide suggestions for ways to make them more secure that you can put in place with just one click.
Minder Cloud proactively monitors your projects and can automatically take action to bring something back into compliance. Auto-remediation actions include re-enabling a disabled setting; and opening or commenting on PRs.
Learn more about Minder Cloud and its capabilities.
Minder Cloud is for open source developers and communities who want to better secure their projects and protect them from malicious attacks. It provides an alternative to developers and communities who prefer to use and support open source tools to keep their projects safe. Unlike traditional security platforms, Minder Cloud takes a more holistic approach to addressing supply chain security, focusing on risk factors beyond CVEs in the SDLC that can leave projects vulnerable to software quality and security issues and impact downstream adoption.
Minder Cloud is Stacklok’s fully managed version of Minder, an open source security platform. It provides an alternative for open source developers and communities who do not want to run and manage their own Minder server.
Minder Cloud includes the same features as the open source version, as well as a UI and other features for added security and ease of use, like managed policy templates and security insights.
Minder Cloud makes it easy to apply and continuously enforce security policies and best practices that keep your software delivery lifecycle safe—from your source code repos and open source dependencies to your CI/CD pipelines and build artifacts. It can also help you generate attestation statements to prove that your software was built in a secure way.
Because developers rely on open source to build their apps, malicious actors are increasingly using open source as an attack vector. This is leading to more scrutiny and government regulation of open source security. Open source maintainers and contributors are often volunteers, working nights and weekends on their projects. They don’t have extra time or dedicated security teams to continuously monitor the security of their projects and catch issues before they harm consumers and hinder adoption.
Minder Cloud helps open source communities protect their projects, without needing to have deep security expertise or manage yet another platform. To do this, it provides managed policy templates with security best practices that project owners can easily apply across their SDLC to keep their projects safe. Once policies are applied, Minder will continuously monitor projects for issues, and can automatically remediate to fix issues before PRs are merged or artifacts are built.
Stacklok has committed to making Minder Cloud free forever for use on public repositories.
No. Minder Cloud actually makes it easier to adopt and comply with OpenSSF Scorecard standards, many of which are included in our managed policy templates.
Yes. Minder integrates with GitHub’s built-in tools, CodeQL and Dependabot, respectively. Additionally, you can use Minder to check pull requests for dependencies with known vulnerabilities from the Open Source Vulnerabilities database. Beyond scanning for vulnerabilities, though, you can also use Minder’s Trusty integration to check PRs for dependencies that are known or suspected to be malicious or deprecated, or that don’t follow security best practices (for example, they haven’t been signed using sigstore). In the future, we plan to integrate with additional SAST and SCA tools.