Software supply chain security company NetRise announced on Tuesday launch of NetRise Provenance, a new product that identifies risk associated with contributors to the open source components inside enterprise software and connected devices, and how far the risk associated with bad actors reaches across portfolios. Provenance adds a layer of trust and intelligence to the NetRise Platform, a deeper look into the Software Bill of Materials (SBOM).
For organizations that buy and operate software, NetRise Provenance adds a level of visibility into risk in the software supply chain that previously was opaque to procurement and third-party risk teams. Those teams now can see a variety of project health signals, including advisory relationships and how compromises propagate through dependency graphs, defining a blast radius from a malicious contributor.
For organizations that build and ship software, NetRise Provenance enables developers and product security teams to set policies to govern selection of open-source projects, automatically failing a build when dependencies cross a risk line.
“Virtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem,” said Thomas Pace, co-founder and CEO of NetRise. “Bad actors gain the confidence of a community, become maintainers, misrepresent who is behind a project, and then push malicious code into widely-used packages. Enterprises then scramble to discover their exposure: When a compromised maintainer or project lives inside the software that runs critical operations across their business. NetRise Provenance replaces that guesswork with a clear view of the extent to which that contributor’s code reaches.”
NetRise Provenance is delivered as part of the NetRise Platform and through a developer friendly API, a command line interface (CLI), or github action. Key capabilities include integration with NetRise’s binary system of intelligence, allowing organizations to overlay trust and provenance data onto a verified software asset inventory. This enables buyers to understand who is behind each component, where it runs, how exploitable it may be, and which products or devices should be prioritized for remediation.
The platform also provides maintainer and organization attribution by mapping open source components to real individuals and organizations, including geographic footprint at the country or local level. This helps teams enforce internal policies, meet regulatory requirements, and ensure compliance with OFAC obligations.
A built-in policy engine allows teams to feed software bills of materials or container images into NetRise Provenance, enriching each package with advisories, contributor risk signals, and repository metadata. Organizations can define clear policies for unacceptable risk, with automated pass or fail outputs that enable CI systems to halt builds when violations occur, while reporting templates support third-party risk and compliance workflows.
In addition, blast radius and dependency analysis capabilities provide visibility into where specific maintainers, projects, or repositories appear across products, services, and vendors. This allows teams to quickly assess the impact of incidents, sanctions, or policy changes and communicate the scope of risk to executives and regulators.
The platform further offers trust and hygiene indicators by combining repository metadata, project governance practices, update frequency, advisory history, and other security signals into a consolidated view. This makes it easier to identify unusual behavior and distinguish between high-risk and well-maintained dependencies.
“Software supply chain compromises are beginning to follow a disturbing pattern, “said Michael Scott, co-founder and CTO of NetRise. “A bad actor gains trust in one project, and their code silently spreads across thousands of dependency chains. The hard problem isn’t finding the compromise – it’s answering ‘where else does this person’s code end up and ultimately run in my environment?’ in minutes instead of weeks. We built Provenance to make that query instant. Starting from an SBOM, filesystem, or container image, we map every package back to its maintainers, their organizations, their locations, and their advisory history, including for binaries – then let teams set policy against it. The XZ Utils compromise was caught by accident. Provenance makes it where you no longer rely on luck.”
“Software supply chains increasingly depend on open source, which raises the importance of understanding not only what is in an application, but also who maintains it and how maintainer risk is concentrated across projects,” said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. “Contributor, organization, and geographic context layered onto dependency and SBOM data helps security and risk teams make clearer deployment decisions, respond faster to emerging threats, and target remediation toward the most exposed dependencies.”
“NetRise started by revealing all components inside compiled software,” added Pace. “With Provenance, we are now giving builders and buyers a unified view of who is inside that software and how trust is concentrated in specific contributors and projects. This additional visibility allows teams to make proactive decisions that enhance the risk posture for product security teams, and increase resilience for third-party risk teams. This launch marks another milestone in NetRise’s journey to a software trust platform that connects code, people, and policy in one place.”
NetRise Provenance is available as part of the NetRise Platform for enterprises, software and device makers, consultancies, and public sector organizations, and via API and CLI for developers who want to bring software trust decisions closer to where code is assembled.
