Setting up your open source policy

Note: If you are using Tidelift's catalog features, please see Setting standards for your catalog.


Using a managed open source subscription provides you with the benefits of commercial software without compromising on flexibility. Tidelift's tools allow you to define and customize an open source policy. This policy is used when completing scans and providing you with results. Policies are configured at the repository-level, so you can enforce different policies for different repositories.

Some examples of how you may customize your open source policy:

  • Generate warning and fail messages for newly-introduced security vulnerabilities so you can block a build from entering production
  • Introduce lists of allowed and disallowed licenses to ensure direct and transitive dependencies comply with your organization's legal requirements
  • Generate warnings when a package has been deprecated or when using a version on an inactive release stream

Viewing and Customizing Policies

  1. You can view the default repository policy by selecting Repositories > {your repository} > Policy
  2. You can customize the policy for each repository by creating a .tidelift.yml file in your repository's root directory and customizing it accordingly.

Still need help? Contact Us Contact Us