{"id":22281198,"url":"https://github.com/mindersec/minder","last_synced_at":"2026-01-15T22:18:21.790Z","repository":{"id":205810992,"uuid":"624056558","full_name":"mindersec/minder","owner":"mindersec","description":"Software Supply Chain Security Platform","archived":false,"fork":false,"pushed_at":"2026-01-13T16:40:14.000Z","size":145646,"stargazers_count":369,"open_issues_count":111,"forks_count":53,"subscribers_count":17,"default_branch":"main","last_synced_at":"2026-01-13T18:26:51.329Z","etag":null,"topics":["security","software-supply-chain","software-supply-chain-security","supply-chain"],"latest_commit_sha":null,"homepage":"https://mindersec.dev/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/mindersec.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-04-05T16:47:15.000Z","updated_at":"2026-01-13T16:40:20.000Z","dependencies_parsed_at":"2026-01-05T21:09:20.583Z","dependency_job_id":null,"html_url":"https://github.com/mindersec/minder","commit_stats":null,"previous_names":["stacklok/minder","stacklok/mediator","mindersec/minder"],"tags_count":91,"template":false,"template_full_name":null,"purl":"pkg:github/mindersec/minder","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mindersec%2Fminder","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mindersec%2Fminder/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mindersec%2Fminder/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mindersec%2Fminder/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/mindersec","download_url":"https://codeload.github.com/mindersec/minder/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/mindersec%2Fminder/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28472625,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-15T22:13:38.078Z","status":"ssl_error","status_checked_at":"2026-01-15T22:12:11.737Z","response_time":62,"last_error":"SSL_connect returned=1 errno=0 peeraddr=140.82.121.6:443 state=error: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["security","software-supply-chain","software-supply-chain-security","supply-chain"],"created_at":"2024-12-03T16:16:03.067Z","updated_at":"2026-01-15T22:18:21.784Z","avatar_url":"https://github.com/mindersec.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"![minder logo](./docs/docs/images/Minder_darkMode.png)\n\n[![Continuous integration](https://github.com/mindersec/minder/actions/workflows/main.yml/badge.svg)](https://github.com/mindersec/minder/actions/workflows/main.yml) | [![Coverage Status](https://coveralls.io/repos/github/mindersec/minder/badge.svg?branch=main)](https://coveralls.io/github/mindersec/minder?branch=main) | [![License: Apache 2.0](https://img.shields.io/badge/License-Apache2.0-brightgreen.svg)](https://opensource.org/licenses/Apache-2.0) | [![SLSA 3](https://slsa.dev/images/gh-badge-level3.svg)](https://slsa.dev) | [![](https://dcbadge.vercel.app/api/server/RkzVuTp3WK?logo=discord\u0026label=Discord\u0026color=5865\u0026style=flat)](https://discord.gg/RkzVuTp3WK)\n---\n\n[Installation](https://mindersec.github.io/getting_started/install_cli) | [Documentation](https://mindersec.github.io/) | [Releases](https://github.com/mindersec/minder/releases)\n---\n\n# What is Minder?\n\nMinder is an open source platform that helps development teams and open source communities build more\nsecure software, and prove to others that what they’ve built is secure. Minder helps project owners proactively manage\ntheir security posture by providing a set of checks and policies to minimize risk along the software supply chain,\nand attest their security practices to downstream consumers.\n\nMinder allows users to enroll repositories and define policy to ensure repositories and artifacts are configured\nconsistently and securely. Policies can be set to alert only or auto-remediate. Minder provides a predefined set of\nrules and can also be configured to apply custom rules.\n\nMinder can be deployed as a Helm chart and provides a CLI tool `minder`. Custcodian also\nprovides a [free-to-use hosted version of Minder](#public-instance). Minder is designed to be extensible,\nallowing users to integrate with their existing tooling and processes.\n\n## Features\n\n* **Repo configuration and security:** Simplify configuration and management of security settings and policies across repos.\n* **Proactive security enforcement:** Continuously enforce best practice security configurations by setting granular policies to alert only or auto-remediate.\n* **Artifact attestation:** Continuously verify that packages are signed to ensure they’re tamper-proof, using the open source project Sigstore.\n* **Dependency management:** Manage dependency security posture by helping developers make better choices and enforcing controls. Minder is integrated with [OSV](https://osv.dev/) (and can be integrated with other SCA APIs) to enable policy-driven dependency management based on the risk level of dependencies.\n\n## Public Instance\n\nCustcodian [provides a free-to-use public instance of Minder](https://custcodian.dev/hosted/) at `api.custcodian.dev`. This is the default instance used when you use the `minder` CLI starting with release 0.0.89.  This instance is free to use for public repositories; for private repositories, there may be an additional charge for using this cloud-hosted instance.\n\n---\n# Getting Started (\u003c 1 minute)\n\nGetting up and running with Minder takes under a minute and is as easy as:\n\n1. Installing Minder\n2. Logging in to Minder\n3. and running `minder quickstart` to create your first profile.\n\nIn just a few seconds, you will register your repositories and enable secret scanning protection for all of them! 🤯\n\n\u003cimg src=\"https://github.com/mindersec/minder/assets/16540482/00646f28-2f48-43f2-bb2b-4a791782d7e3\" width=\"80%\"/\u003e\n\n## Installation\n\nChoose your preferred method to install `minder`:\n\n### MacOS (Homebrew)\n\nMake sure you have [Homebrew](https://brew.sh/) installed.\n\n```bash\nbrew install minder\n```\n\n### Windows (Winget)\n\nMake sure you have [Winget](https://learn.microsoft.com/en-us/windows/package-manager/winget/) installed.\n\n```bash\nwinget install mindersec.minder\n```\n\n### Download a release\n\nDownload the latest release from [minder/releases](https://github.com/mindersec/minder/releases).\n\n### Build it from source\n\nBuild `minder` and `minder-server` from source by following the [build from source guide](#build-from-source).\n\n## Logging in to Minder\n\nTo use `minder` with the [public instance](#public-instance) of Minder (`api.custcodian.dev`), log in by running: \n\n```bash\nminder auth login --grpc-host api.custcodian.dev\n```\n\n(This API host is the default starting with the 0.0.89 release.) Upon completion, you should see that the Minder Server is set to `api.custcodian.dev`.\n\n\n## Run Minder quickstart\n\nThe `quickstart` command guides you through creating your first profile in Minder, register your repositories, and enabling secret scanning protection for your repositories in seconds.\n\nTo do so, run:\n\n```bash\nminder quickstart\n```\n\nThis will prompt you to enroll your provider, select the repositories you'd like, create the `secret_scanning`\nrule type and create a profile which enables secret scanning for the selected repositories.\n\nTo see the status of your profile, run:\n\n```bash\nminder profile status list --profile quickstart-profile --detailed\n```\n\nYou should see the overall profile status and a detailed view of the rule evaluation statuses for each of your registered repositories.\n\nMinder will continue to keep track of your repositories and will ensure to fix any drifts from the desired state by\nusing the `remediate` feature or alert you, if needed, using the `alert` feature.\n\nCongratulations! 🎉 You've now successfully created your first profile!\n\n## What's next?\n\nYou can now continue to explore Minder's features by adding or removing more repositories, create more profiles with\nvarious rules, and much more. There's a lot more to Minder than just secret scanning. \n\nThe `secret_scanning` rule is just one of the many rule types that Minder supports. \n\nYou can see the full list of ready-to-use rules and profiles\nmaintained by Minder's team here - [mindersec/minder-rules-and-profiles](https://github.com/mindersec/minder-rules-and-profiles).\n\nIn case there's something you don't find there yet, Minder is designed to be extensible.\nThis allows for users to create their own custom rule types and profiles and ensure the specifics of their security\nposture are attested to.\n\nNow that you have everything set up, you can continue to run `minder` commands against the public instance of Minder\nwhere you can manage your registered repositories, create profiles, rules and much more, so you can ensure your repositories are\nconfigured consistently and securely.\n\nFor more information about `minder`, see:\n* `minder` CLI commands - [Docs](https://mindersec.github.io/ref/cli/minder).\n* `minder` REST API Documentation - [Docs](https://mindersec.github.io/ref/api).\n* `minder` rules and profiles maintained by Minder's team - [GitHub](https://github.com/mindersec/minder-rules-and-profiles).\n* Minder documentation - [Docs](https://mindersec.github.io/).\n\n# Roadmap\n\nThe Minder community are actively working on new features and improvements for Minder.\n\nYou can find our roadmap [here](https://mindersec.github.io/about/roadmap).\n\nShould you wish to request or contribute a feature or improvement, please use the following\n[issue template](https://github.com/mindersec/minder/issues/new?template=enhancement.yml)\n\n# Development\n\nThis section describes how to build and run Minder from source.\n\n## Build from source\n\n### Prerequisites\n\nYou'd need the following tools available - [Go](https://golang.org/doc/install), [Docker](https://docs.docker.com/get-docker/) and [Docker Compose](https://docs.docker.com/compose/install/).\n\nTo build and run `minder-server`, you will also need [ko](https://ko.build/install/).\n\nTo run the test suite via `make test`, you will need [gotestfmt](https://github.com/GoTestTools/gotestfmt#installing) and [helm](https://github.com/helm/helm/releases).\n\nTo invoke the `run-docker` make target, you will need [yq](https://github.com/mikefarah/yq).\n\n### Clone the repository\n\n```bash\ngit clone git@github.com:mindersec/minder.git\n```\n\n## Build \n\nRun the following to build `minder` and `minder-server` (binaries will be present at `./bin/`)\n\n```bash\nmake build\n```\n\nTo use `minder` with the public instance of Minder (`api.custcodian.dev`), run:\n\n```bash\nminder auth login --grpc-host api.custcodian.dev\n```\n\nUpon completion, you should see that the Minder Server is set to `api.custcodian.dev`.\n\nIf you want to run `minder` against a local `minder-server` instance, you can use the `--grpc-host=localhost` and `--grpc-port=8090` flags, or use a configuration file following the steps below.\n\n#### Initial configuration\n\nCreate the initial configuration file for `minder`. You may do so by doing.\n\n```bash\ncp config/config.yaml.example config.yaml\n```\n\nCreate the initial configuration file for `minder-server`. You may do so by doing:\n\n```bash\ncp config/server-config.yaml.example server-config.yaml\n```\n\nYou also have to set up an OAuth2 application for `minder-server` to use.\nOnce completed, update the configuration file with the appropriate values.\nSee the documentation on how to do that - [Docs](https://mindersec.github.io/run_minder_server/config_oauth).\n\n#### Run `minder-server`\n\nStart `minder-server` along with its dependant services (`keycloak` and `postgres`) by running:\n\n```bash\nmake run-docker\n```\n\n#### Configure social login (GitHub)\n\n`minder-server` uses Keycloak as an IAM. To log in, you'll need to set up a GitHub OAuth2 application and configure\nKeycloak to use it.\n\nCreate an OAuth2 application for GitHub [here](https://github.com/settings/developers). Select\n`New OAuth App` and fill in the details. The callback URL should be `http://localhost:8081/realms/stacklok/broker/github/endpoint`.\nCreate a new client secret for your OAuth2 client.\n\nUsing the `client_id` and `client_secret` you created above, enable GitHub login on Keycloak by running the following command:\n\n```bash\nmake KC_GITHUB_CLIENT_ID=\u003cclient_id\u003e KC_GITHUB_CLIENT_SECRET=\u003cclient_secret\u003e github-login\n```\n\n#### Run minder\n\nEnsure the `config.yaml` file is present in the current directory so `minder` can use it.\n\nRun `minder` against your local instance of Minder (`localhost:8090`):\n\n```bash\nminder auth login\n```\n\nUpon completion, you should see that the Minder Server is set to `localhost:8090`.\n\nBy default, the `minder` CLI will point to the Custcodian cloud environment if a config file is not present, but [creating the `config.yaml` for running the server](#initial-configuration) will point the CLI at your local development environment.  If you explicitly want to use a different instance, you can set the `MINDER_CONFIG` environment variable to point to a particular configuration.  We have configurations for local development and the Custcodian cloud environment checked in to [the `config` directory](./config/).\n\n### Development guidelines\n\nYou can find more detailed information about the development process in the [Developer Guide](https://mindersec.github.io/developer_guide/get-hacking).\n\n## Minder API\n\n* REST API documentation - [Link](https://mindersec.github.io/ref/api).\n\n* Proto API documentation - [Link](https://mindersec.github.io/ref/proto).\n\n* Protobuf - [Link](https://github.com/mindersec/minder/blob/main/proto/minder/v1/minder.proto).\n\n* OpenAPI/swagger spec (JSON) - [Link](https://github.com/mindersec/minder/blob/main/pkg/api/openapi/minder/v1/minder.swagger.json).\n\n## Contributing\n\nWe welcome contributions to Minder. Please see our [Contributing](./CONTRIBUTING.md) guide for more information.\n\n## Provenance\n\nThe Minder project follows the best practices for software supply chain security and transparency.\n\nAll released assets:\n\n* Have a generated and verifiable SLSA Build Level 3 provenance. For more information, see the [SLSA website](https://slsa.dev).\n* Have been signed and verified during release using the [Sigstore](https://sigstore.dev) project.\nThis ensures that\nthey are tamper-proof and can be verified by anyone.\n* Have an SBOM archive generated and published along with the release.\nThis allows users to understand the dependencies of the project and their security posture.\n\n## License\n\nMinder is licensed under the [Apache 2.0 License](./LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmindersec%2Fminder","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fmindersec%2Fminder","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fmindersec%2Fminder/lists"}