Codenotary Trustcenter
Codenotary's Trustcenter ensures the integrity and security of software supply chains in DevOps environments through artifact tracking, SBOM management, and VEX curation.
| Category | Supply Chain Security |
|---|---|
| This page updated | 30 days ago |
| Pricing Details | Starting at $5500 per year |
| Target Audience | Organizations looking to secure their software supply chains and DevOps processes. |
Codenotary's Trustcenter manages ensuring the integrity and security of software supply chains, particularly in complex DevOps environments. The technical architecture of Trustcenter revolves around comprehensive artifact tracking, robust Software Bill of Materials (SBOM) management, and Vulnerability Exploitability eXchange (VEX) curation.
At its core, Trustcenter continuously identifies, isolates, and reports suspicious or harmful components within DevOps pipelines. It supports the import and export of SBOMs in various formats, including CycloneDX 1.6, VEX, and SPDX 3.0, allowing for integration with existing tools and workflows. The platform generates detailed SBOMs for open-source applications and containers, enabling real-time tracking of attestations and vendor risk profiles. This is achieved through its patent-pending TrueSBOM® technology, which monitors changes in components at runtime, even for self-updating applications, and detects encrypted code when loaded.
Operationally, Trustcenter integrates with a range of CI/CD and SCM tools, Docker and OCI registries, and several vulnerability scanners such as Snyk, Aqua, and JFrog. It provides bindings for multiple programming languages, including Java, C++, Python, NodeJS, Go, Rust, and PHP. However, the effectiveness of these integrations can be limited by the complexity of the environment and the volume of data being processed. For instance, managing versions of SBOMs and VEX files can become cumbersome in large-scale deployments, and the cost of retaining detailed historical data can be significant.
From a technical standpoint, Trustcenter's ability to quickly search and spot vulnerable components, such as Log4j, and determine their exploitability through runtime analysis is a key strength. It also helps in detecting license violations and maintaining an up-to-date list of open-source components with their dependencies. However, the platform's pricing, starting at $5500 per year, and the need for continuous enforcement of trusted components at rest and runtime can pose operational and financial considerations for some organizations.