OPEN SOURCE MANAGEMENT

Open source management for the software you actually ship.

SBOMs from CI and suppliers resolve into one governed inventory — licenses, vulnerabilities, and maintenance status for every component.

Inventory · Licenses · Vulnerabilities · Support · Policy

Inventory · Licenses · Vulnerabilities · Support · Policy

Interlynk resolves SBOMs from CI and suppliers into one governed package inventory with license, vulnerability, and maintenance status.
THE BLIND SPOT
THE BLIND SPOT

Most of your code is open source. Almost none of it is visible.

Most of your code is open source. Almost none of it is visible.

Open source carries the application. The risk it brings rarely sits anywhere you can query when it matters.

Inventory

The list is incomplete.

Transitive dependencies and vendored code never reach a spreadsheet, so when a CVE lands you cannot answer "do we use this, and where?"

Licenses

Obligations go unreviewed.

Copyleft and unknown licenses reach production because nobody mapped obligations to the components that carry them.

Maintenance

Dependencies rot quietly.

A library picked two years ago gets archived upstream, and nothing tells you it is now unmaintained.

You cannot govern what you have not inventoried.

WHAT YOU MANAGE
WHAT YOU MANAGE

Four views of the same component, one source of truth.

Four views of the same component, one source of truth.

Every SBOM, from CI or a supplier upload, resolves into one inventory you can query by package, license, vulnerability, or maintenance status.

01

One inventory for every component you ship.

Each SBOM feeds an organization-wide package list. See every version of a component in use, the products that ship it, and its PURL and ecosystem in one place.


  • Cross-product package view, not one SBOM at a time

  • Version tracking across the whole portfolio

  • Transitive and vendored components included

02

Know every license obligation before you ship.

License expressions are parsed to the SPDX standard and run through an approval workflow. Obligations such as attribution, source disclosure, and copyleft are tracked per license, with custom licenses alongside the standard catalog.


  • Approved, Rejected, and Unreviewed approval states

  • Obligation tracking on every license

  • Custom, non-SPDX licenses in the same inventory

03

New CVEs map back to versions you already shipped.

Components match against NVD, GitHub Security Advisories, and OSV, then enrich with EPSS, CISA KEV, and CWE. VEX dispositions record your team's response so the same finding is not triaged twice.


  • NVD, GitHub Security Advisories, and OSV correlation

  • EPSS and KEV for prioritization, not just CVSS

  • VEX disposition tracking on every finding

04

Catch dependencies the internet stopped maintaining.

Support Analysis reads package-registry and repository signals to grade each component's maintenance status, surfacing OpenSSF Scorecard and health scores so you replace risky dependencies on your schedule, not after a breach.


  • Graded from Actively Maintained down to Abandoned

  • Registry deprecation plus repository activity signals

  • OpenSSF Scorecard and per-package health scores

COMPLIANCE
COMPLIANCE

Every license carries duties. Interlynk tracks them.

Every license carries duties. Interlynk tracks them.

Obligations are attached to each license in the inventory, so a component's requirements travel with it across every product that uses it.

Attribution

MIT

BSD

Apache-2.0

Include the copyright notice and license text in your distribution.

Source disclosure

GPL-3.0

LGPL

Make corresponding source code available to recipients.

Copyleft

GPL-2.0

GPL-3.0

Derivative works must be released under the same license.

Patent grant

Apache-2.0

The license includes an explicit grant of patent rights.

Network copyleft

AGPL-3.0

Source must be offered to users who interact over a network.

HOW IT WORKS
HOW IT WORKS

From upload to governed inventory in four steps.

1. Ingest

SBOMs arrive from GitHub, GitLab, and Bitbucket on push and pull request, from pylynk or the GraphQL API in CI, or from a supplier upload link.

2. Resolve

Components are parsed into the organization-wide package inventory and their license expressions matched to the SPDX catalog.

3. Enrich

Each component picks up vulnerability matches, EPSS and KEV status, maintenance level, and OpenSSF Scorecard results.

4. Govern

Policies gate on license, vulnerability, and support level per environment. Violations surface as tickets in Jira or Linear and alerts in Slack.

WHY TEAMS SWITCH
WHY TEAMS SWITCH

Replace the spreadsheet and the standalone scanner.

Manual + scanner-only

✕ Inventory lives in a spreadsheet that drifts from the build

✕ Licenses reviewed once, if at all, with no approval trail

✕ Scans run at release and forget the version afterward

✕ No signal when a dependency is abandoned upstream

✕ Findings sit in a report nobody routes to an owner

With Interlynk

One inventory updated on every build, across products

License approval workflow with obligations tracked

Continuous monitoring maps new CVEs to shipped versions

Maintenance status graded for every component

Policy violations routed to Jira, Linear, and Slack

Spreadsheets and buckets

No automated ingestion, supplier collection, continuous monitoring, quality scoring, policy gates, or portfolio analytics.

DIY scripts

Partial CI ingestion and vulnerability monitoring, but no supplier workflow, quality scoring, policy gates, or portfolio view.

Interlynk

Automated ingestion, supplier collection, continuous monitoring, quality scoring, policy gates, and portfolio analytics in one workflow.

Open source management, answered.

What is open source management?

It is keeping an accurate, current inventory of the open-source components in your software and governing the risk they carry: license obligations, known vulnerabilities, and maintenance status. Interlynk inventories components automatically, reviews licenses against an approval workflow, monitors for new CVEs, and flags components that are no longer maintained.

What is open source license compliance?

How does Interlynk find vulnerabilities in open source components?

How do you detect abandoned dependencies?

Which package ecosystems are supported?

Where does the component data come from?

Trusted by security and compliance teams at 100+ regulated companies

Interlynk automates SBOMs, manages open source risks, monitors suppliers, and prepares you for the post-quantum era, all in one trusted platform.

Audit-ready SBOM. With every build.

Trusted by security and compliance teams at 100+ regulated companies

Interlynk automates SBOMs, manages open source risks, monitors suppliers, and prepares you for the post-quantum era, all in one trusted platform.

Audit-ready SBOM. With every build.

Trusted by security and compliance teams at 100+ regulated companies

Interlynk automates SBOMs, manages open source risks, monitors suppliers, and prepares you for the post-quantum era, all in one trusted platform.

Audit-ready SBOM. With every build.