Minder by Stacklok is an open source platform that helps development teams and open source communities build more secure software, and prove to others that what they’ve built is secure. Minder helps project owners proactively manage their security posture by providing a set of checks and policies to minimize risk along the software supply chain, and attest their security practices to downstream consumers.

Minder allows users to enroll repositories and define policy to ensure repositories and artifacts are configured consistently and securely. Policies can be set to alert only or auto-remediate. Minder provides a predefined set of rules and can also be configured to apply custom rules.

Minder can be deployed as a Helm chart and provides a CLI tool minder. Stacklok, the company behind Minder, also provides a free-to-use hosted version of Minder (for public repositories only). Minder is designed to be extensible, allowing users to integrate with their existing tooling and processes.

• Repo configuration and security: Simplify configuration and management of security settings and policies across repos.
• Proactive security enforcement: Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.
• Artifact attestation: Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.
• Dependency management: Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with Trusty by Stacklok to enable policy-driven dependency management based on the risk level of dependencies.

Your friends at Stacklok have set up a public instance of Minder that you can use for free. The Minder CLI tool (minder) from our official releases is configured to use this instance by default. Follow Stacklok's Minder Getting Started Guide to quickly try out Minder's features without having to build and deploy OSS Minder.

Note that it's not possible to register private repositories. If you'd like to use Minder with private repositories, feel free to contact us! We'd be thrilled to help you out.

Getting up and running with Minder takes under a minute and is as easy as:

1. Installing Minder
2. Logging in to Minder
3. and running minder quickstart to create your first profile.

In just a few seconds, you will register your repositories and enable secret scanning protection for all of them! 🤯

Choose your preferred method to install minder:

Make sure you have Homebrew installed.

brew install stacklok/tap/minder

Make sure you have Winget installed.

winget install stacklok.minder

Download the latest release from minder/releases.

Build minder and minder-server from source by following the build from source guide.

To use minder with the public instance of Minder (api.stacklok.com), log in by running:

minder auth login

Upon completion, you should see that the Minder Server is set to api.stacklok.com.

The quickstart command guides you through creating your first profile in Minder, register your repositories, and enabling secret scanning protection for your repositories in seconds.

To do so, run:

minder quickstart

This will prompt you to enroll your provider, select the repositories you'd like, create the secret_scanning rule type and create a profile which enables secret scanning for the selected repositories.

To see the status of your profile, run:

minder profile status list --profile quickstart-profile --detailed

You should see the overall profile status and a detailed view of the rule evaluation statuses for each of your registered repositories.

Minder will continue to keep track of your repositories and will ensure to fix any drifts from the desired state by using the remediate feature or alert you, if needed, using the alert feature.

Congratulations! 🎉 You've now successfully created your first profile!

You can now continue to explore Minder's features by adding or removing more repositories, create more profiles with various rules, and much more. There's a lot more to Minder than just secret scanning.

The secret_scanning rule is just one of the many rule types that Minder supports.

You can see the full list of ready-to-use rules and profiles maintained by Minder's team here - stacklok/minder-rules-and-profiles.

In case there's something you don't find there yet, Minder is designed to be extensible. This allows for users to create their own custom rule types and profiles and ensure the specifics of their security posture are attested to.

Now that you have everything set up, you can continue to run minder commands against the public instance of Minder where you can manage your registered repositories, create profiles, rules and much more, so you can ensure your repositories are configured consistently and securely.

For more information about minder, see:

• minder CLI commands - Docs.
• minder REST API Documentation - Docs.
• minder rules and profiles maintained by Minder's team - GitHub.
• Minder documentation - Docs.

This section describes how to build and run Minder from source.

You'd need the following tools available - Go, Docker and Docker Compose.

To build and run minder-server, you will also need ko.

To run the test suite via make test, you will need gotestfmt and helm.

git clone [email protected]:stacklok/minder.git

Run the following to build minder and minder-server (binaries will be present at ./bin/)

make build

To use minder with the public instance of Minder (api.stacklok.com), run:

minder auth login

Upon completion, you should see that the Minder Server is set to api.stacklok.com.

If you want to run minder against a local minder-server instance, proceed with the steps below.

Create the initial configuration file for minder. You may do so by doing.

cp config/config.yaml.example config.yaml

Create the initial configuration file for minder-server. You may do so by doing.

cp config/server-config.yaml.example server-config.yaml

You'd also have to set up an OAuth2 application for minder-server to use. Once completed, update the configuration file with the appropriate values. See the documentation on how to do that - Docs.

Start minder-server along with its dependant services (keycloak and postgres) by running:

make run-docker

minder-server uses Keycloak as an IAM. To log in, you'll need to set up a GitHub OAuth2 application and configure Keycloak to use it.

Create an OAuth2 application for GitHub here. Select New OAuth App and fill in the details. The callback URL should be http://localhost:8081/realms/stacklok/broker/github/endpoint. Create a new client secret for your OAuth2 client.

Using the client_id and client_secret you created above, enable GitHub login on Keycloak by running the following command:

make KC_GITHUB_CLIENT_ID=<client_id> KC_GITHUB_CLIENT_SECRET=<client_secret> github-login

Ensure the config.yaml file is present in the current directory so minder can use it.

Run minder against your local instance of Minder (localhost:8090):

minder auth login

Upon completion, you should see that the Minder Server is set to localhost:8090.

By default, the minder CLI will point to the production Stacklok environment if a config file is not present, but creating the config.yaml for running the server will point the CLI at your local development environment. If you explicitly want to use a different instance, you can set the MINDER_CONFIG environment variable to point to a particular configuration. We have configurations for local development, the Stacklok production environment, and Stacklok staging environment (updated frequently) checked in to the config directory.

You can find more detailed information about the development process in the Developer Guide.

• REST API documentation - Link.

• Proto API documentation - Link.

• Protobuf - Link.

• OpenAPI/swagger spec (JSON) - Link.

We welcome contributions to Minder. Please see our Contributing guide for more information.

The Minder project follows the best practices for software supply chain security and transparency.

All released assets:

• Have a generated and verifiable SLSA Build Level 3 provenance. For more information, see the SLSA website.
• Have been signed and verified during release using the Sigstore project. This ensures that they are tamper-proof and can be verified by anyone.
• Have an SBOM archive generated and published along with the release. This allows users to understand the dependencies of the project and their security posture.

Minder is licensed under the Apache 2.0 License.