Keep in mind that the Start Left feature is only available for enterprise users.
You can use your automation policies to evaluate new packages in Open Source Select. If you are looking for a new package in Select, you can check whether or not it will trigger an automation rule using Start Left Policies.
How do I evaluate license issues using Start Left Policies? An example:
- Create an automation rule to evaluate the licenses family, e.g. “If there is a dependency which is licensed under a strong copyleft license then fail pipeline”
- Go to Open Source Select and search for a desired package
- After searching for the `node-forge` package, you can see that the pipeline would fail if this package is included, as it is licensed under `GLP-2.0-only` which belongs to the "strong copyleft" licenses family.
How do I evaluate security risk packages using Start Left Policies? An example:
- Create an automation rule to evaluate the check the CVSS, e.g. “If a dependency contains a vulnerability which has not been marked as unaffected where CVSS is at least medium (4.0-6.9)”
- Go to Open Source Select and search for a desired package
- After searching for the `angularjs` package, you can see that our pipeline would trigger a warning if we included this package, due to CVE-2017-16009
Choosing open source components with Debricked's Open Source Select & Start Left - video guide