Stacklok Insight is a service that helps developers and security teams assess open source package and dependency risk. Stacklok Insight uses security signals such as proof of origin (or provenance), known vulnerabilities, and activity to provide an assessment of a package's health and trustworthiness. Stacklok Insight is accessible via an interactive web interface and a REST API.
While the CVE remains an important tool in driving dependency security considerations, the viability of a dependency is driven by other key factors based on the attributes and activities of the community that produces the technology. Stacklok Insight highlights risks for packages taking these factors into account, to help developers consuming an open source package make an informed decision.
Stacklok Insight supports multiple open source package ecosystems:
- Go – golang.org
- JavaScript/TypeScript – npm
- Python – PyPI
- Rust – crates.io
- Java – Maven Central