NetRise launches Provenance to trace open source risk

NetRise has launched NetRise Provenance, a product designed to identify risk tied to contributors to open-source components used in software and connected devices.

The offering adds contributor and maintainer intelligence to the company's existing software supply chain platform, with a focus on showing how risk can spread through dependency chains and across portfolios.

It is aimed at both software buyers and software producers. For procurement and third-party risk teams, it is intended to provide visibility into project health signals, advisory relationships, and the potential reach of a compromised maintainer or project. For developers and product security teams, it adds policy controls that can block builds when dependencies breach set risk thresholds.

The launch reflects broader cybersecurity concern about the role of trust in open-source software. Attackers have increasingly sought to gain influence within projects as contributors or maintainers before introducing malicious code into packages that are then distributed widely through software dependency networks.

Thomas Pace, co-founder and chief executive officer at NetRise, said the issue goes beyond known software flaws.

"Virtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem," said Pace.

He added: "Bad actors gain the confidence of a community, become maintainers, misrepresent who is behind a project, and then push malicious code into widely used packages. Enterprises then scramble to discover their exposure when a compromised maintainer or project lives inside the software that runs critical operations across their business. NetRise Provenance replaces that guesswork with a clear view of how far that contributor's code reaches."

Tracing risk

According to NetRise, Provenance works with software bills of materials, container images, and file systems, and can be accessed through the NetRise platform as well as by API, command-line interface, and GitHub Action. It is intended to map packages to maintainers and organisations while layering in repository metadata, advisory history, and update patterns.

One feature focuses on attribution. Customers can connect open-source components to named maintainers and organisations, including country or local footprint, to support internal policy checks and regulatory screening. Another centres on dependency analysis, showing direct and reverse dependency relationships so teams can estimate the impact of a compromised project or individual across products, vendors, and services.

The system also allows teams to define policies for unacceptable dependencies. Those rules can generate pass or fail exit codes in continuous integration systems, allowing builds to be halted automatically if a package triggers a policy breach.

Michael Scott, co-founder and chief technology officer at NetRise, said the aim is to shorten the time needed to assess where suspect code may have spread.

"Software supply chain compromises are beginning to follow a disturbing pattern," said Scott. "A bad actor gains trust in one project, and their code silently spreads across thousands of dependency chains. The hard problem isn't finding the compromise - it's answering 'where else does this person's code end up and ultimately run in my environment?' in minutes instead of weeks. We built Provenance to make that query instant. Starting from an SBOM, filesystem, or container image, we map every package back to its maintainers, their organizations, their locations, and their advisory history, including for binaries, then let teams set policy against it. The XZ Utils compromise was caught by accident. Provenance means you no longer rely on luck."

Market context

The launch comes as enterprises face pressure to improve visibility into the software they buy and run, particularly where open-source code is involved. Security teams have spent several years pushing for better software bill of materials practices, but questions about who maintains code and how trust is distributed have become more prominent after several supply chain incidents.

Katie Norton, research manager, DevSecOps and software supply chain security at IDC, said the additional context could help risk teams make more informed decisions.

"Software supply chains increasingly depend on open source, which raises the importance of understanding not only what is in an application, but also who maintains it and how maintainer risk is concentrated across projects," said Norton. "Contributor, organization, and geographic context layered onto dependency and SBOM data helps security and risk teams make clearer deployment decisions, respond faster to emerging threats, and target remediation toward the most exposed dependencies."

NetRise said the product is available as part of its platform for enterprises, software and device makers, consultancies, and public sector organisations, as well as through API and command-line access for developers. The company's broader business focuses on identifying components inside compiled software, including firmware, operating systems, containers, and applications, to surface hidden dependencies and other forms of inherited risk.

"NetRise started by revealing all components inside compiled software," added Pace. "With Provenance, we are now giving builders and buyers a unified view of who is inside that software and how trust is concentrated in specific contributors and projects. This additional visibility allows teams to make proactive decisions that enhance the risk posture for product security teams and increase resilience for third-party risk teams. This launch marks another milestone in NetRise's journey to a software trust platform that connects code, people, and policy in one place."