Start Left Policies

Why start over when you can Start Left?

Keep in mind that the Start Left feature is only available for Select Enterprise users.

You can use your automation policies to evaluate new packages in Open Source Select. If you are looking for a new package in Select, you can check whether or not it will trigger an automation rule using Start Left Policies.

Evaluate license issues using Start Left Policies (Example):

  1. Create an automation rule to evaluate the licenses family, e.g. “If there is a dependency which is licensed under a strong copyleft license then fail pipeline”

  2. Go to Open Source Select and search for a desired package

  3. After searching for the `node-forge` package, you can see that the pipeline would fail if this package is included, as it is licensed under `GLP-2.0-only` which belongs to the "strong copyleft" licenses family.

Evaluate security risk packages using Start Left Policies (Example):

  1. Create an automation rule to evaluate the check the CVSS, e.g. “If a dependency contains a vulnerability which has not been marked as unaffected where CVSS is at least medium (4.0-6.9)”

  2. Go to Open Source Select and search for a desired package

  3. After searching for the `angularjs` package, you can see that our pipeline would trigger a warning if we included this package, due to CVE-2017-16009

Choosing open source components with Debricked's Open Source Select & Start Left - video guide

Last updated