Company attributes
Stacklok is a developer of an open-source platform intended to help developers understand and mitigate risks in daily tasks, software tool choices, and code dependencies. The company offers a free-to-use service that assists developers in making safer dependency choices. The open-source platform helps software developers and maintainers secure their software.
The company was founded in 2023 by Craig McLuckie and Luke Hinds and is headquartered in Seattle, Washington. Prior to founding the company, McLuckie was one of the creators of Kubernetes at Google, and Hinds founded the open-source project Sigstore. Stacklok was founded in part in the light of Executive Order 14028, "Improving the Nation's Cybersecurity: NIST's Responsibilities Under the May 2021 Executive Order," which will require developers and open-source communities to be held to stricter standards in regard to their source code and the security of the software supply chain.
Stacklok's Trusty solution is made for developers to help them understand whether an open-source package is authentic, non-malicious, and actively maintained. The Trusty tool is free to use and accessible as a web app and as a Visual Studio Code extension. Features of Trusty include activity scoring, which works to establish a benchmark for average levels of package activity; package provenance, which displays a verifiable chain of trust back to the source code; package recommendations, to help developers evaluate other packages to help find safer options; and IDE support, to give developers alerts about packages with low scores to help them choose safer packages at the outset and avoid rework and security risks.
Stacklok's Minder solution is an open-source platform developed to help development teams and open-source communities build secure software and to prove to others that the software has been built securely. Features of the Minder tool include repo configuration and security, which works to help simplify configuration and management of security policies and settings across project repos; proactive security enforcement, which continuously enforces security best practices, like secret scanning, branch protections, and artifact signing; artifact attestation, to help users ensure artifacts are tamper-proof through policy setting and verification; and dependency and license management, to help users manage their dependency security posture and supported licenses. Minder and Trusty can integrate with each other to enable policy-driven management on dependency risk levels.
