Creating a catalog

Creating a catalog is the first step to bringing known-good open source package releases into your organization and reducing time spent by your organization on issue management. In this article, we will describe how to add package releases and define the standards of a catalog.

Adding package releases to your catalog can be done in two different ways:

  1. Choosing to use one or more Tidelift-managed catalogs
  2. Importing package releases from existing repositories

Using Tidelift-managed catalogs

One of the key benefits of setting up your organization’s catalog with Tidelift is being able to subscribe to updates from any number of Tidelift-managed catalogs.

From the catalog overview page, you can browse the available Tidelift-managed catalogs. These catalogs typically include a set of related package releases that are frequently used for a specific purpose such as developing with a web framework (eg. Angular, Spring, Vue) or job function (eg. Python data science). You can also see the standards that we uphold on these catalogs (eg. being free of security vulnerabilities, etc.). An expert team at Tidelift alongside the upstream maintainers is responsible for keeping these catalogs up-to-date and ensuring they meet their defined standards.

You should choose to use the catalogs that provide the most overlap with the work that your organization does. When you choose to use a Tidelift-managed catalog you will:

  1. Subscribe to updates – Whenever we approve or deny releases in a Tidelift-managed catalog, we will create a task for you to make the same changes to your own catalog (assuming the affected packages are in your catalog). The task will contain information on why the change is suggested.
  1. Import all releases (optional) – You can choose to import all releases from a Tidelift-managed catalog into your own. We will add all package releases into your catalog. This can make for a robust initial catalog and provide your developers with many options. 

Importing additional package releases from existing repositories

When deciding which package releases you want to approve, you may choose to start with what is already in use by one or more projects at an organization. We recommend this in addition to subscribing to updates on a Tidelift-managed catalog.

You can import package releases from your catalog from existing repositories or from an Artifact Manager.

If you are not currently tracking any repositories with Tidelift, you will want to start tracking a repository and scan its package files.

Importing package releases from the catalog overview page

From the catalog overview page, you can choose to import releases, select Tidelift repositories, and select the appropriate repository. We will automatically add all of the releases from the latest scan into your catalog and update their status to approved.

Importing package releases from scan results

You can also import the package releases from a specific scan. By navigating to the repositories tab, then selecting your repository, and choosing the bill of materials page, you will arrive at the bill of materials of all open source package releases found in that scan. Simply click the import into catalog button at the top of the page, and all package releases from that scan will be added to your catalog.

If a manager imports package releases from the bill of materials page, all releases will be automatically added to the catalog. If a developer attempts that import, those releases will be requested for manager approval.

Importing package releases from JFrog Artifactory

If you do not currently have JFrog Artifactory configured for your account, reach out to support@tidelift.com to proceed.

  1. When creating your organization’s catalog, you can also import a list of all open source package releases currently in use at your organization from Artifactory repositories.
  2. From the catalog overview, select import releases and then select JFrog Artifactory. All package releases from the selected JFrog repositories will be added to your catalog.

With a JFrog Artifactory integration set up, you can also sync back package availability directly to JFrog.


Still need help? Contact Us Contact Us