ProofwrightWalkthrough

Governing third-party components

Inventory, license and maintenance health, and a policy gate before a dependency ever ships.

Governing the open-source and third-party components you pull in — inventory, health, and a policy gate before anything new gets adopted. Related demos: The CRA incident-reporting clock and A CRA-grade patch process.

1

Inventory what you depend on

Every direct and transitive component from the SBOM, in one list — because you can't govern what you can't see.

2

Check licence and health

Each component's licence, release cadence, and maintainer activity — the signals that tell you if it'll still be maintained next year.

3

Gate before adoption

A new dependency clears a policy check — licence, maintenance, known vulnerabilities — before it's allowed into the build.

4

Assign an owner

Each significant component gets an internal owner accountable for watching it — so an upstream problem has someone waiting for it.

this is Proofwright

It's live.

See the real thing at Proofwright.