With the GA release of CoPilot, the genesis of the an idea developed by a couple of Black Duck developers who are open source contributors comes to fruition. Read how their idea developed. The Black Duck CoPilot GA version 1.0 is available after months of feedback in Beta. We also recently completed the product workflow by adding pull request capability. CoPilot is Black Duck’s quick, light-weight publicly-facing free application that allows owners of open source projects on GitHub to monitor security risk for their open source components.
CoPilot uses Black Duck Hub Detect behind the scenes to integrate with a user’s build system to surface the dependencies of a project. It displays the generated component bill of materials in its user interface, along with security risk information.
It also provides a badge with embed code to link back to the full results for users to post on their GitHub project. The Black Duck badge shows consumers of the open source projects that the producer is a responsible producer of open source by completing regular scans and remediating security vulnerabilities.
New Features in CoPilot
The new features added with this general availability release complete the solution by providing insight into the security vulnerabilities before merging them back into the main branch. CoPilot builds can now analyze pull requests from GitHub! Before you approve a pull request, CoPilot informs you which components will be added or removed, and how that affects your security risk level. Here is an example of what the pull request information looks like:
Beta Builds Better
Based on beta user feedback we made the security scoring more granular and improved branch tracking. CoPilot now provides a detailed score to describe the risk of the OSS project, using a scale of 1 to 10, where 10 is the most secure. Your results include an explanation of how you lost points and how to improve your score.
This is the new badge format that links to the report:
It also provides a badge with embed code to link back to the full results for users to post on their GitHub project. The Black Duck badge below shows consumers of the open source projects that the producer is a responsible producer of open source by completing regular scans and remediating security vulnerabilities.
CoPilot also now automatically deletes results for branches and pull requests that are deleted or closed on GitHub, providing a consistent view between CoPilot and GitHub repositories.
The Black Duck engineering team demonstrated CoPilot version 1.0 at GitHub Universe in October to positive reviews. Give it a try and let us know what you think! https://copilot.blackducksoftware.com/