Open source dependencies can number in the millions and enter your company through dependency managers, forked open source projects, static references to internet resources, downloaded files, copy/pasted source code snippets from open source projects, or stack overflow among other creative ways.
We're consuming petabytes of data, inspecting every line of code, every file of every release of every open source project in existence. From this vast pool of data, we derive actionable risk and quality metrics that will prove immensely valuable from day zero.
We have a solution.
Threatrix supply chain risk algorithm leverages more than 15 individual metrics and 10 dimensional metrics to calculate the risk associated with every open source asset in your supply chain.
Component risk data is aggregated and rolled up to your project and entity dashboards allowing users at every level to easily quantify risks at varying levels of granularity and quickly spot high-risk components.
Component and project risk scores may be used in combination with policies to alert users, create Jira© tickets, or gate high-risk builds that may infect other projects or open back doors in your production ecosystem.
The basic requirements for great software is a thoughtful design, very few bugs, known bugs are quickly fixed, and stable builds.
Threatrix goes far beyond the basics, digging into more than 20 dimensions of quality to help your team determine the longevity of your open source supply chain components.
Some of the data we offer is:
Poorly maintained projects
Time to remediation
Automating the detection of open source vulnerabilities, licenses, and supply chain risk and quality is a snap. We seamlessly integrate into tons of build tools and can quickly deliver risk remediation suggestions