Start Left Policies

You can use your automation policies to evaluate new packages in Open Source Select. If you are looking for a new package in Select, you can check whether or not it will trigger an automation rule using Start Left Policies.

Evaluate license issues using Start Left Policies (Example):

1. Create an automation rule to evaluate the licenses family, e.g. “If there is a dependency which is licensed under a strong copyleft license then fail pipeline”

2. Go to Open Source Select and search for a desired package

3. After searching for the `node-forge` package, you can see that the pipeline would fail if this package is included, as it is licensed under `GLP-2.0-only` which belongs to the "strong copyleft" licenses family.

Evaluate security risk packages using Start Left Policies (Example):

1. Create an automation rule to evaluate the check the CVSS, e.g. “If a dependency contains a vulnerability which has not been marked as unaffected where CVSS is at least medium (4.0-6.9)”

2. Go to Open Source Select and search for a desired package

3. After searching for the `angularjs` package, you can see that our pipeline would trigger a warning if we included this package, due to CVE-2017-16009

Choosing open source components with Debricked's Open Source Select & Start Left - video guide