Quickstart guide

Getting started with the Tidelift Subscription in under 15 minutes

The Tidelift Subscription helps your organization accelerate development by creating catalogs of approved open-source packages that your developers can draw from safely. Instead of waiting until late in the build process, developers receive immediate feedback on whether or not a package will be acceptable, and can easily request review for packages.

In this guide, you will learn how to obtain a bill of materials for a project and start creating your organization's first open source catalog.

It will take approximately 15 minutes to complete and requires no installation or integration.

  1. Create an accountWe offer a 14-day free trial to all prospective customers.
  2. All new accounts have an empty catalog available to use. A catalog is a collection of approved packages that meet your organization’s standards. You can create multiple catalogs if you need to enforce different standards for different teams or projects.
  3. Add packages to catalog – Start filling out your catalog by importing the packages you’re already using by selecting "Projects". You can use a sample project to explore the Tidelift Subscription or use your own project.
    1. Create a new project by naming the project. We recommend using the same name as the project or repository. We have provided sample projects if you are not ready to upload your own files. Tidelift does not have access to your code.
    2. Upload package files (What are package files?) to generate an initial list of package releases. This is only done at setup to create a software bill of materials that your organization is currently using to start filling your catalog with approved releases. Later, we'll help you set up your CI so that you can continuously keep a bill of materials up-to-date and block builds that do not use approved packages. We also explore how developers can new packages during the developer workflow in the developer getting started guide

    3. Once the project and the bill of materials have been created, the packages will automatically import into the catalog. You can see all the packages in your catalog under Catalogs -> Packages. Want to keep packages with security vulnerabilities or unapproved licenses out of your catalog? We’ll cover this in the next section: Set standards.
    4. Set standards – When you import an existing project, you may find you have packages you weren’t aware your company was using. These packages could have security vulnerabilities or undesirable licenses.To improve the quality of your catalog over time, you can configure the catalog’s standards. Standards will generate tasks for catalog administrators to address. You can go with Tidelift’s defaults, which will alert you about security vulnerabilities and require manual review for all package requests, or customize them to fit your organization’s standards.

      A Tidelift subscription currently helps you maintain three standards for every package:
      • Security. Tidelift sorts through security vulnerabilities to determine real vulnerabilities. Tidelift will alert you when packages have a security vulnerability and provide a severity level and recommendation when one is available. By default, Tidelift will alert you when there are known security vulnerabilities with packages in your catalog and which projects are affected. Someone else at the organization reviews this? Invite them to configure this.
      • Licenses. Tidelift will alert you when packages use a type of license that has not been approved by your legal department. Tidelift will work with your legal team to evaluate new licenses and whether or not developers can use them. By default, Tidelift will not alert you when you are using a package with unapproved licenses, but we can provide guidance on licenses you are able to use. Someone else at the organization reviews this? Invite them to configure this.
      • Maintenance. Tidelift reviews packages to ascertain if the package is still actively maintained. Tidelift will alert you when packages appear to be deprecated. By default, Tidelift will not generate tasks to remove/upgrade packages that are deprecated. If you would like to receive tasks to remove/upgrade packages that are deprecated, turn on the maintenance standards.
      • To start, Tidelift also requires all requests to be manually reviewed by a catalog administrator, but you can change the setting to only review packages that violate the standards of the catalog.
    5. You can view or update the project's bill of materials at any time from Projects in the left-hand navigation. 
    6. Now that you have started creating your catalog of approved packages and acting on packages with standards violations, invite your team to use the Tidelift Subscription from Settings > Users. Developers can help you can continue building out your catalog and make sure their projects align with your catalog.

    If you are a developer familiar with using the command line interface, explore our Command Line Tool documentation.