This is the core of TrustSource, which is organising most of the service functionality, especially UI and flow logic. See https://support.trustsource.io for more details.
TrustSource is an open source solution for managing Software Supply Chain Security and Software Compliance like OpenChain compliant processes. It currently is availabe as source code (this repo) for an on-premises setup as self managed installation or as managed service. We plan to also provide a hosted version as an AWS or Azure marketplace offering. Learn more about the different options here. It is also possible to obtain a support contract or request consulting.
Trainings and further materials can be found at the publicly accessible TrustSource Knowledgebase.
To become part of the TrustSource eco-system feel free to reach out to the TrustSource Team at ecosys @ trustsource.io.
For over 10 years meanwhile we are involved with the topics of open source compliance, software security and test automation. Since then the landscape has evolved and we have made many experiences. However, the complexity remains high. To simplfy the entry, we have provided some materials to support your compliance endeavour. We would suggest the following sequence:
- Learn about OS compliance - (a presentation held by Jan to the opensource workgroup of the Bitkom 2018)
- Setup TrustSource (see below)
- Integrate TrustSource with your CI/CD chain
As TrustSource is not just a tool you download and start querying through its CLI, it requires a bit of preparation and planning. TrustSource comprises of several services following partly the functional seggregation defined by the OC-Tooling Working Group Capabilities Map. The following diagram gives an overview of the maximal installation: (deployment_max_img) The core (this) component will provide the UI, user management, roles, logging, basic API, flow-logic, most business logic, black & white lists, all governance and reporting features. It requires a Mongo-DB to start up.
$ docker pull mongo
...
$ docker run --name some-mongo -d mongo:latest
Where some-mongoshall be the name you want your mongo image to operate.
PLEASE NOTE: In our operational environments we make use of AWS services like KMS and Secrets Manager. However, for our developers we have a switch to allow providing local configurations
You may choose to build it from this repository or use an image from docker hub:
$ docker pull ts-core
...
$ docker run --name ts-core -d -e ts-core:latest
You may consider putting all images into a separate network. However, if you plan to provide the services across your organization you will need an endpoint that you will publish. Make sure, the services will be able to reach each other.
Todo: Access port? first user? Link to role management
Now you may login to TrustSource app and start using the core services. But yet there is not much content available. To change this, additional services need to be set up:
See ts-crawlers repository for details.
See ts-vulncrawler repository for details.
See ts-legalcheck repository for more information.
See ts-spdx repository for more details.
Depending on your programming language you will require different toolsets. This article gives an overview how integrations may be achieved and links to the different repositories.
To learn more about the future directions, please see our Roadmap Feel free to use this repository to suggest features, improvements or bugs. Every "issue" is welcome. Please use tags accodingly to help indentify what it is about.
We highly encourage all sorts of communication. We are here to help your compliance efforts taking up. For sure we also need to make our living, thus support contracts are welcome. But we also want to give back to the community that has offered so much to allow our work. If you want to reach out to us, please use one of the following channels:
- our FAQ
- the Knowledgbase
- Issues - please use the correct repository!
- Support subscriptions
- DevChannel 4 contributors (via gitter)
In case you plan to contribute, you are highly welcome! We maintain a taskboard on Jira, which is linked to the issues of the correpsonding repos. Thus it is reltively simple to join work. However, some setup for the different developments might be required. Shortly we will provide a description on how to setup a dev env for each of the different environments. Meanwhile feel free to fork the repo and start working. We will be happy to receive your pull request. The pull request should provide the typical information such as
- What has changed?
- Why?
- How has it been tested?
PLEASE NOTE: Whenever you will be contributing something, you will have to state that you will comply with the contribution agreement. This means you will hand an non-exclusive, irrevocable, unlimited right to use, modify and distribute your contribution to the TrustSource project. For further details, please see the contribution agreement in this repository.