Intelligence from millions of packages in thousands of repositories identifies contributors and maintainers who add risk, enabling better decision making among software developers and third-party risk teams.
NetRise, the software supply chain security company that exists to eliminate blind trust in software, announced the launch of NetRise Provenance, a new product that identifies risk associated with contributors to the open source components inside enterprise software and connected devices, and how far the risk associated with bad actors reaches across portfolios. Provenance adds a layer of trust and intelligence to the NetRise Platform, a deeper look into the Software Bill of Materials (SBOM).
For organizations that buy and operate software, NetRise Provenance adds a level of visibility into risk in the software supply chain that previously was opaque to procurement and third-party risk teams. Those teams now can see a variety of project health signals, including advisory relationships and how compromises propagate through dependency graphs, defining a blast radius from a malicious contributor.
For organizations that build and ship software, NetRise Provenance enables developers and product security teams to set policies to govern selection of open-source projects, automatically failing a build when dependencies cross a risk line.
Read More: SalesTechStar Interview with Travis Rehl, CTO and Head of Product at Innovative Solutions
“Virtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem,” said Thomas Pace, co-founder and CEO of NetRise. “Bad actors gain the confidence of a community, become maintainers, misrepresent who is behind a project, and then push malicious code into widely-used packages. Enterprises then scramble to discover their exposure: When a compromised maintainer or project lives inside the software that runs critical operations across their business. NetRise Provenance replaces that guesswork with a clear view of the extent to which that contributor’s code reaches.”
NetRise Provenance is delivered as part of the NetRise Platform and through a developer friendly API, a command line interface (CLI), or github action. Key capabilities include:
- Unified with NetRise’s binary system of intelligence
Overlay trust and provenance data on top of NetRise’s binary verified software asset inventory so buyers can connect who is behind a component with where it actually runs, how exploitable it is, and which products and devices need to be prioritized. - Maintainer and organization attribution
Map open source components to real maintainers and organizations, including country or local level footprint, so teams can apply internal policy, regulatory requirements, and ensure OFAC compliance requirements are met. - Policy engine
Feed SBOMs or container images into NetRise Provenance to enrich each package with advisories, contributor risk signals, and repository metadata. Apply simple policies that define what is unacceptable. Pass or fail exit codes let CI systems stop builds automatically when a dependency violates those rules, while reporting templates inform third-party risk and compliance teams. - Blast radius and dependency analysis
Use dependency and reverse dependency views to see where a maintainer, project, or repository appears across products, services, and vendors, so teams can scope incidents, sanctions, and policy changes in minutes and communicate to executives and regulators real impact. - Trust and hygiene indicators
Combine repository metadata, project policies, update cadence, advisory history, and other security practice indicators into an “at a glance” view that highlights projects with unusual behavior, making it easier to separate risky from healthy dependencies.
Read More: Why Pipeline-Driven Sales Will Dominate and Become the New Era of Sales Efficiencies
“Software supply chain compromises are beginning to follow a disturbing pattern,” said Michael Scott, co-founder and CTO of NetRise. “A bad actor gains trust in one project, and their code silently spreads across thousands of dependency chains. The hard problem isn’t finding the compromise – it’s answering ‘where else does this person’s code end up and ultimately run in my environment?’ in minutes instead of weeks. We built Provenance to make that query instant. Starting from an SBOM, filesystem, or container image, we map every package back to its maintainers, their organizations, their locations, and their advisory history, including for binaries – then let teams set policy against it. The XZ Utils compromise was caught by accident. Provenance makes it where you no longer rely on luck.”
“Software supply chains increasingly depend on open source, which raises the importance of understanding not only what is in an application, but also who maintains it and how maintainer risk is concentrated across projects,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “Contributor, organization, and geographic context layered onto dependency and SBOM data helps security and risk teams make clearer deployment decisions, respond faster to emerging threats, and target remediation toward the most exposed dependencies.”
“NetRise started by revealing all components inside compiled software,” added Pace. “With Provenance, we are now giving builders and buyers a unified view of who is inside that software and how trust is concentrated in specific contributors and projects. This additional visibility allows teams to make proactive decisions that enhance the risk posture for product security teams, and increase resilience for third-party risk teams. This launch marks another milestone in NetRise’s journey to a software trust platform that connects code, people, and policy in one place.”
NetRise Provenance is available as part of the NetRise Platform for enterprises, software and device makers, consultancies, and public sector organizations, and via API and CLI for developers who want to bring software trust decisions closer to where code is assembled.