Policy-based control of software security
Minder enables open source communities, enterprises, and individuals to define and apply policies that continuously secure their software projects
Why Minder
Minder is an OpenSSF sandbox project with a powerful set of capabilities. It is being used by leaders across organizations to:
Consistently configure source code repos
Define and enforce the same policies across collections of repositories.
Find safer open source dependencies.
Minder alerts you when a dependency is out of policy, and guides you to in-policy, safer alternatives.
Build tamper-proof container images
Minder integrates with Sigstore and GitHub Attestations to verify the provenance of artifacts.
How Minder Works
Minder secures the entire software development lifecycle, including open source dependencies, CI/CD pipelines, build artifacts, and more. It integrates with Stacklok Insight, OSV, and other datasets to flag pull requests with dependencies that introduce risk, and then guide developers to safer alternatives. Minder was built to be flexible and extensible, so you can define the right policies and simplify consistent security practices.
The Minder community maintains a library of example rules and profiles to get you up and running quickly. Examples include:
Learn more about Minder rules and profilesRepository security
Enables GitHub repo security features like secret scanning and CodeQL.
Dependency security
Alert on risky or malicious dependencies, and ensure Dependabot is enabled.
Branch protection rules
Automate protection rules to maintain standards across all your repositories.
Artifact attestation
Validate that artifacts produced by your workflows are properly signed.
GitHub Actions security
Ensure your GitHub Actions workflows follow recommended security practices.
License validation
Check for the expected software license in your projects.