Lineaje has added artificial intelligence (AI) agents that leverage multiple types of code scanners to ensure the open-source software packages and artifacts being used by application developers are truly secure.
Company CEO Javed Hasan said the Gold Open Source Packages and Gold Open Source Images are curated by AI agents trained to automate tasks based on data collected by a software composition analysis (SCA) platform, dubbed SCA360.
SCA360 also provides access to a Deep Dependency and Reachability Scanner to identify mandatory and optional dependency chains and their inherent risks. That scanner is coupled with a static code analysis engine that detects reachable vulnerabilities and linked functions to surface insights into transitive dependencies. Finally, a malware Scanner detects embedded malicious and tampered packages, highlighting those of dubious origin.
Using those scanners, the Gold Open Source Images services provide software engineering teams with a catalog of over 2,000 vulnerability-free images. The Gold Open Source Packages similarly ensures that more than three million open source packages are free of known vulnerabilities by tracking more than 100 attributes for each package and its transitive dependencies. In total, Lineaje is now using AI to track more than 408 billion open-source security data points, including vulnerabilities, licenses, geo-provenance, maintainability, code quality and contributors.
Lineaje AI agents can compare versions of packages and images to generate compatibility analysis, which the AI agents then use to continuously scan source code repositories, detect security issues, find updates for direct dependencies in the source code and remediate them, said Hasan. In effect, open source software can now become self-healing, he added.
Additionally, those AI agents will highlight any known issues with existing application environments, said Hasan.
Finally, application developers can also generate custom Gold Images on demand by specifying an existing public container image. Lineaje AI will then automatically create a compatible, hardened Gold Image that is added to all Gold Open Source Image subscriptions.
Lineaje will also continue to provide existing manual services for application development teams, including providing security updates to older generations of open source packages and images that DevOps teams, for one reason or another, can’t update without breaking an application.
While a lot of progress has been made in terms of adoption of best DevSecOps practices, there is still plenty of room for improvement, given the number of vulnerabilities and other issues being discovered either in production environments or just before an application is supposed to be deployed. One way to achieve that goal is to, of course, ensure the software artifacts that developers rely on to build those applications are, from a cybersecurity perspective, as pristine as possible.
In the meantime, DevSecOps teams would be well advised to encourage developers to not, whenever possible, rely on images and packages that have not been somehow certified. It’s not that any developer starts out to build an insecure application, but rather for there to be a laissez-faire tendency to grab the first image or package at hand that looks like it might fit their purpose.
