Open Source Manager (OSM)
User Guide
Complete guide to using Open Source Manager (OSM)
Open Source Manager User Guide
This guide covers everything you need to know to effectively use Open Source Manager for open source security intelligence and package management.
Getting Started
Accessing OSM
- Log in to Safeguard.sh
- Navigate to Open Source Manager from the main menu
- You'll see the OSM dashboard
Dashboard Overview
The OSM dashboard displays:
| Section | Description |
|---|---|
| Search Bar | Search for open source packages |
| Gold Directory | Pre-verified secure packages |
| Recent Searches | Your search history |
| Watchlist | Packages you're monitoring |
| Alerts | New vulnerabilities in watched packages |
Searching Packages
Basic Search
- Enter package name in search bar
- Optionally specify version
- Press Enter or click Search
Search Syntax
# Simple search
lodash
# With version
lodash@4.17.21
# With ecosystem
npm:lodash
pypi:requests
maven:org.apache.commons:commons-lang3Supported Ecosystems
| Ecosystem | Prefix | Example |
|---|---|---|
| npm | npm: | npm:express |
| PyPI | pypi: | pypi:django |
| Maven | maven: | maven:log4j:log4j |
| Go | go: | go:github.com/gin-gonic/gin |
| RubyGems | gem: | gem:rails |
| NuGet | nuget: | nuget:Newtonsoft.Json |
| Cargo | cargo: | cargo:serde |
| Packagist | packagist: | packagist:laravel/framework |
Search Results
Results show:
- Package name and version
- Attestation score (LCAL)
- Vulnerability count
- License
- Maintenance status
- Last updated
Package Details
Overview Tab
| Field | Description |
|---|---|
| Package Name | Official package name |
| Version | Current version |
| Attestation Score | LCAL 0-4 rating |
| Risk Score | Overall risk assessment |
| Vulnerabilities | Known CVE count |
| License | Package license |
| Repository | Source repository link |
Vulnerabilities Tab
View all known vulnerabilities:
- CVE identifier
- Severity (CVSS score)
- EPSS score
- Fix available indicator
- Affected versions
- Remediation guidance
Attestation Tab
Supply chain verification:
- Provenance verification status
- Build attestation
- Signature verification
- SLSA level
- Malicious package scan results
Dependencies Tab
Package dependency tree:
- Direct dependencies
- Transitive dependencies
- Dependency vulnerabilities
- License analysis
Versions Tab
All available versions:
- Version number
- Release date
- Vulnerabilities per version
- Recommended version indicator
Gold Directory
What is Gold Directory?
Gold Directory contains pre-verified packages that meet Safeguard.sh's security standards:
- LCAL 3+ attestation
- No critical/high vulnerabilities
- Active maintenance
- License compliance verified
Using Gold Directory
- Navigate to Gold Directory
- Browse by category or search
- Filter by ecosystem
- Click package for details
Gold Package Benefits
| Benefit | Description |
|---|---|
| Pre-Verified | Security checks already done |
| Monitored | Continuous vulnerability monitoring |
| Recommended | Safe for production use |
| Fast Updates | Quick alerts for issues |
Adding to Project
Use Gold packages in your projects:
# npm
npm install gold:lodash
# Or use the verified version directly
npm install lodash@4.17.21Watchlist
Adding to Watchlist
Monitor packages for security updates:
- Open package details
- Click + Add to Watchlist
- Configure notification preferences
Watchlist Management
- Go to Watchlist tab
- View all watched packages
- Edit notification settings
- Remove packages as needed
Notification Options
| Option | Description |
|---|---|
| New Vulnerability | Alert on new CVE |
| Critical Only | Only critical vulnerabilities |
| New Version | Alert on new releases |
| Maintenance Status | Status changes |
Risk Assessment
Understanding Risk Scores
Risk scores (0-100) consider:
| Factor | Weight | Description |
|---|---|---|
| Vulnerabilities | 40% | CVE count and severity |
| Maintenance | 20% | Update frequency |
| Community | 15% | Stars, contributors |
| Age | 10% | Package maturity |
| License | 15% | License risk |
Risk Categories
| Score | Category | Meaning |
|---|---|---|
| 0-20 | Low | Generally safe to use |
| 21-50 | Medium | Review before using |
| 51-80 | High | Caution advised |
| 81-100 | Critical | Avoid or replace |
License Compliance
License Analysis
OSM analyzes licenses for:
- License type identification
- Compatibility checking
- Obligation requirements
- Commercial use restrictions
License Categories
| Category | Risk Level | Examples |
|---|---|---|
| Permissive | Low | MIT, Apache 2.0, BSD |
| Weak Copyleft | Medium | LGPL, MPL |
| Strong Copyleft | High | GPL, AGPL |
| Proprietary | Review | Commercial licenses |
Checking Compatibility
- Open package details
- Go to License tab
- View license obligations
- Check compatibility with your license
Comparing Packages
Side-by-Side Comparison
Compare alternative packages:
- Search for a package
- Click Compare
- Add packages to compare
- View comparison table
Comparison Metrics
- Security score
- Vulnerability count
- Maintenance health
- Download popularity
- Community size
- License type
API Usage
Search API
curl -X GET "https://api.safeguard.sh/v1/osm/packages?q=lodash" \
-H "Authorization: Bearer $API_KEY"Package Details
curl -X GET "https://api.safeguard.sh/v1/osm/packages/npm/lodash/4.17.21" \
-H "Authorization: Bearer $API_KEY"Vulnerabilities
curl -X GET "https://api.safeguard.sh/v1/osm/packages/npm/lodash/vulnerabilities" \
-H "Authorization: Bearer $API_KEY"Best Practices
Package Selection
- Check attestation score first
- Review vulnerability history
- Verify active maintenance
- Consider alternatives
Monitoring
- Watch critical dependencies
- Set up vulnerability alerts
- Review alerts promptly
- Update regularly
Compliance
- Define allowed licenses
- Check before adding dependencies
- Document exceptions
- Review periodically