In today’s world, organizations spend countless hours handling software security and compliance issues. Much of this burden often falls onto development teams while organizations quote a “shift-left” approach, whether or not the developers like it.
With the increasing awareness of software security and supply chain threats, we believe organizations are overdue for a more mature and modern “prevention-centric” approach.
WhiteSource’s vision is to enable organizations to take “Shifting-left” to the next level by providing a prevention-centric solution. Put simply, our worldview is to “prevent the preventable and automatically remediate the rest”. We strive towards this vision while requiring minimum developer effort and providing maximum transparency for administrators.
Best of breed data and coverage / Keeping ahead of any risk
The open source world is changing and evolving all the time: Vulnerabilities are being detected and published, new code is being written for existing open source libraries, new versions are being released. But also, new languages are being written and becoming popular, new package managers are being added and you start adopting them.
Continuous risks discovery: You can be sure you are well covered against all known open source legal risks and security threats.
Continuous investment in platform support: Whichever platform you are working with - whether different package managers, containers, configuration managers or orchestrators, we know how to scan and analyze your code.
Continuous source file matching: You always have access to improved, more precise algorithms to identify your source libraries.
Continuous data enhancements: You have all the relevant information regarding your open source component, such as, which dependency you’re using and what is the most relevant fix for each of its risks (“Transitive awareness”), or whether your package has an embedded/nested license which might have legal implications, and more.
Ease of Use
Customizable user experience: You can create the dashboards and workflows that are most relevant to your WS users and workflows - In Progress
Continuous integration with developer toolsand Cross platform CLI tools: Your developers have access to easy and intuitive code scanning within their native environments, saving them valuable time and friction - In Progress
Tag & Filter: You can easily navigate within the product and find what you’re looking for with our new planned tagging capabilities - In Progress
Easy and intuitive scanning tools - So you can have immediate results with minimal settings - In Progress
Power of Automation
API-first product: You can work with a modern, REST API to leverage the power of automation and easily perform any action you can via the UI, and more - In Progress
Webhooks: Your application is automatically notified when interesting events occur in WS - Planned
Flexible Data Model
Versioning and Archiving: You can efficiently and frequently scan the same code base while maintaining a pleasant and predictable user experience - Planned
Generic integrations: You can manage the risks mitigation effort while leveraging the capabilities of common issue tracker systems, such as Jira - In Progress
We strive for clear, helpful, updated, complete, well-written, well-organized, and well-presented documentation, delivered in a timely manner, where users can find what they want within a few mouse clicks - In Progress
Closing the Loop: Integrations
Broad integrations, out of the box: You can easily integrate WhiteSource with the existing workflow. Monitor or fail builds and track progress in your software lifecycle: CI/CD, build servers and repositories - In Progress
Two-way integration, closing the feedback loop: Your teams can continue being agile and independent, without compromising security and compliance - In Progress
Developer Tools & Early Detection
Reduced noise via flexible configuration: Your developers can keep their usual workflow while focusing on solving the most pressing issues first, and see only those issues which they’ve introduced into the codebase - In Progress
Detection and advice before committing or merging: Your developers can catch and prevent security issues as early as possible in the SDLC - In Progress
Scanning and detection of suspicious Open Source package updates in real-time - Planned
Automated systems to flag packages as potentially malicious, to be escalated for expert review - Planned
Package manager plugins with centralized policy controls to block installs for either (a) potentially malicious packages, or (b) confirmed malicious packages, configurable per-environment - Planned