Explore More

Download a whitepaper, learn more about supply chain management, discover integrations, or attend an event. There is much to learn about software supply chain security. This is a good place to start.

DeployHub Integrates With Tools You Use

DeployHub can associate SonarQube Project Status, Bugs, Code Smells, and Violations metrics to your Component Version. Associating these metrics enables compliance scoring for Application Versions since the metrics are rolled up from the Component Versions to the Application Version.

Learn More

DeployHub can associate Veracode Security Scan to your Component Version. Associating these metrics enables compliance scoring for Application Versions since the metrics are rolled up from the Component Versions to the Application Version.

Learn More

If you are not already generating an SBOM as part of your DevOps Pipeline, DeployHub’s supply chain defense catalog integrates with Syft to get the job done.

Learn More

DeployHub’s software supply chain defense catalog can consume CycloneDX formatted SBOMs. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub.

Learn More

DeployHub’s software supply chain management catalog can consume any SPDX formatted SBOM. If you are already generating SBOMs, you will pass the name of the SBOM results to DeployHub.

Learn More

DeployHub uses OSV.Dev to continuously monitor your Component and Application’s vulnerabilities within your software supply chain. DeployHub scans for new vulnerabilities every 30 minutes.

Learn More

In order to continuously gather pipeline intelligence, DeployHub must become part of your pipeline. DeployHub integrates into your CI/CD process using the Ortelius Open-Source Command Line (CLI). The Ortelius CLI gathers supply chain data based on a single pipeline workflow at the build and deploy steps. The build step gathers Swagger, SBOM, Readme, licenses, Git data, Docker image, and other build output. The deploy step records when a release occurs, what was sent, and where the objects were sent to.

The Ortelius Open Source Community maintains the Ortelius CLI under the governance of the Linux Foundation’s Continuous Delivery Foundation.

Learn More

When DeployHub is integrated into your CI/CD pipeline, it can capture metrics for DORA reporting. The two DORA metrics that DeployHub captures are Deployment Frequency and Lead Time for Changes.

Learn More

You can configure DeployHub to call out to a Git Repo to pull deployable artifacts (binaries, scripts, etc.) as part of your deployment. The process will check out your deployable artifacts based on commit, branch or tag specified.

Learn More

Helm can be called to replace the DeployHub default processing engine for performing container deployments. When DeployHub executes the release process, it will call the Helm Chart you have defined as your Custom Action at the Component level. Our microservice catalog includes the version of the Helm chart as part of its overall configuration data. In addition, DeployHub’s software supply chain defense catalog can track Key Value pairs and generate override files for each environment to which you are deploying, making updates to configurations quick and easy.

Learn More

Add your Microservice / API Swagger documentation to your supply chain to clarify component use and details.

Learn More

DeployHub integrates with Jira, Bugzilla, and GitHub issues to track your change request at three levels: Component (microservice), Application, and Release (collection of Applications). You define Jira, Bugzilla, or GitHub through an object called a ‘data source.’ Once defined, you can pull change request from your issue system and assign them at any level for tracking. When change requests are managed this way, you have a continuous feedback loop showing when the issue was opened and when the customer received the fix.

Learn More

If you are developing your Applications using SaleForce, this integration will allow you to support SalesForce deployments. By creating this Custom Action, you can replace the DeployHub standard deployment processing engine and instead use a process designed specific to Salesforce including the mapping of DeployHub Environments to different SalesForce regions such as testing, pre-production, and production, where the class and package files can be deployed.

Learn More

A software supply chain management catalog would be incomplete without managing the important database parts, particularly for poly databases. You can publish your database updates to the catalog, tracking and versioning your data changes. DeployHub has a unique type of Component for database updates, allowing you to manage your database with roll-forward and rollback processing. Check out the ‘version jumping’ DB Demo.

Learn More

DeployHub’s software supply chain management catalog allows you to send notifications using Notifiers via HipChat Groups, Topics, or Room features. Notifications are defined to Components and Applications and inform the recipient(s) of the Component or Applications deployment’s success or failure.

Learn More

Slack can be integrated with DeployHub using NotifiersNotifiers can be called to report on the success or failure of a deployment.

Learn More

DeployHub integrates with CircleCI to support microservices continuous configuration management and continuous deployments built into your CircleCI pipeline. In particular, DeployHub integrates with CircleCI to enrich the CI/CD pipeline around microservices, tracking which applications need to be retested due to a common microservice update.

Critical to the process is the ability to perform versioning and tracking microservices across clusters and teams and map them to ‘logical’ Applications. DeployHub’s CircleCI Orb includes the ability to perform automated version and dependency management of microservices tracking application and microservice relationships, their versions, and their deployment metadata.

Learn More

DeployHub allows you to use LDAP or Active Directory to manage your User logins. The integration creates an LDAP Data Source to access an LDAP database and use the information stored to gain access to DeployHub. It also populates the Users General tab with Real Name and Email, which it gets from the LDAP database. When you define a User, you associate the LDAP authentication method. At login, DeployHub checks the User’s authentication method to determine if LDAP or Active Directory should be used.

Learn More

Learn More, Attend an Event, or Browse Documentation

Unifying Application Security Best Practices Data

Discover the need for gathering and aggregating the application security best practices data. Critical data is gathered across the DevOps pipeline, but it is fragmented. This article explores why unifying this data is critical for a comprehensive understanding of your open source software supply chain security.

Software Supply Chain Management

Software supply chain management involves locating, assessing, and mitigating risks associated with consuming open-source software components into the software delivered to end users. Managing the risks of using open-source software involves exposing what packages are used, even when developers don’t know the transitive dependencies they consume. This article expands on the concepts of gathering open source usage data to respond to vulnerabilities such as Log4J quickly. Knowing where Open Source is located is the first step.

Software Supply Chain Version Management

Software supply chain versioning is becoming increasingly important to support decoupled, cloud-native development, where thousands of objects are continuously pushed into the software supply chain One might ask, “What does the future look like when I manage and track hundreds of components that comprise a single version of my software application?” Most teams will need more than an Excel spreadsheet to track and version components. This article explores the methods of versioning the overall software supply chain.

Decoding Decoupled Architecture

Decoupled architecture offers many advantages. But with those advantages comes new challenges, particularly around understanding how a logical decoupled application is configured. In this article we explore the benefits and challenges of a decoupled architecture.

Consuming and Aggregating SBOM Data across the Supply Chain

The core problem of SBOMs is the data is not consumed. SBOM’s provide little use sitting in a text file under the build directory or even stored in Git as a historical record. Most SBOM data is fragmented across hundreds of components, causing IT teams to struggle to fully address open source vulnerabilities quickly. Instead, IT teams spend critical time searching for and interrogating hundreds of SBOMs for the needed information. This article explores the concepts of SBOM consumption.

Managing a Components Blast Radius

Updating software always involves risk. In a decoupled architecture, the risk increases due to the sheer number of updates being pushed through DevOps Pipelines. Knowing the impact of a component release provides actionable intelligence about the potential risk of that update. This article explores the importance of knowing the blast radius of a single shared component across the organization.

blast radius

Federating Software Composition Analysis (SCA) Data

Centralizing and automating the collection of component-level Software Composition Analysis is an essential tool in the DevSecOps toolbox for cloud-native architectures. However, without aggregating this data, it is nearly impossible to determine if the ‘logical’ application delivered to end users is safe for consumption. This article explores how SCA changes in a decoupled architecture.

Understanding SBOMs – The Ultimate Guide

Software Bill of Materials (SBOMs) has become part of the conversation around securing the software supply chain, particularly around open source. This article explores the different types of SBOMs and why the data is important.

SBOM Stack

SBOM Management

SBOM Management is critical in hardening cybersecurity, so it is important to manage the SBOM (Software Bill of Material) data. At the most basic level, SBOM data is needed to determine your software’s common vulnerabilities and exposures (CVEs). This article explores the process of managing SBOM data to improve the overall security of the software delivered to end users.

SBOM Automation

SBOM automation must be included as part of your CI/CD workflow. You can’t assume that SBOMs can be manually generated for every release, when releases are happening all day long. This article covers the steps for adding SBOM automation to your CI/CD process using the Ortelius Open Source Project’s CI/CD command line tool.


SBOMs and Cybersecurity

In today’s digital age, cybersecurity has become a paramount concern for individuals, businesses, and governments alike. The ever-evolving threat landscape presents a continuous challenge, making it essential for organizations to adopt proactive measures to protect their digital assets and sensitive data. One such critical tool in the cybersecurity arsenal is the Software Bill of Materials (SBOM). SBOMs are not just nice to have; they are necessary in the battle against cyber threats. This article explores why SBOMs are critical in the process of defending the software we deliver to end users.

SBOM Requirements

Regulatory agencies such as the U.S. NIST and the CISA advocate for SBOM requirements as a necessary practice for software supply chain security. The use of SBOMs for software supply chain security was mostly attributed to the SolarWinds software supply chain attack, which occurred in December 2020. Other recent hacks that helped propel these changes include the hacks of Microsoft Exchange and Colonial Pipeline, which occurred in early 2021. Since these attacks, government agencies have begun to require that any software being delivered to the US Government must be accompanied by an SBOM. This article explores the requirements for SBOMs.

security tooling

How to Add Application Security Open-Source Tooling To Your Pipeline

This whitepaper provides you with everything you need to know about adding open-source security tooling to your DevOps pipeline. Get started with signing, SBOM’s, and cataloging the security intelligence.

DeployHub Team SaaS Proof of Concept

Get started managing your software supply chain today with DeployHub Team. This Proof of Concept leads you through installing DeployHub Team (SaaS or on-premise) and walks you through the process of integrating with your DevOps pipeline to continuously track and monitor your software supply chain. And best yet, DeployHub Team is free, no budget required.

microservice catalogs explored

Software Supply Chain Management Catalogs Explored

Starting to wonder how to tame the supply chain with hundreds of components and open-source packages? This whitepaper explores the use of a software supply chain management catalog. It covers the data managed and the users who benefit.

SBOMs in a microservice architecture

SBOMs in a Decoupled Architecture

When you move away from monolithic practices to a decoupled architecture, you lose the application SBOM. This whitepaper explains how DeployHub aggregates SBOM data up to the logical application level.


A cloud-native, decoupled architecture offers new supply chain challenges. Discover how DeployHub is solving the challenge through versioning.

blast radius

Know Your Blast Radius

This whitepaper outlines how DeployHub can help you understand a component’s blast radius before you deploy. DeployHub can show you what ‘product’ teams will be impacted when a shared service is updated across environments and endpoints. We call this a proactive approach with clear visibility.

Components and Applications with Aggregated SBOMs

Gathering Security and DevOps Data

Managing Components using Domains

Managing Microservices with DeployHub Software Supply Chain Management Catalog

Unifying Application Security Best Practices Data

Unifying Application Security Best Practices Data

Techstrong Predict 2024 

January 18th, 2024

Explore the future of DevOps, Cybersecurity, Cloud Native and AI.

Tracy Ragan presents – 2024 – The Year of AI-Powered Federated DevOps and Security Data

Techstrong Predict 2024

Open-Source Summit North America 2024 and CDCon2024

April 16-18th, Seattle WA, USA

Open Source Summit is the premier event for open source developers, technologists, and community leaders to collaborate, share information, solve problems, and gain knowledge, furthering open source innovation and ensuring a sustainable open source ecosystem. CDCon will be co-located with Continuous Delivery leaders, industry icons, practitioners, and open-source developers meeting to discuss the world’s capacity to deliver software with security and speed.

Techstrong Women


Hosted by Tracy Ragan, CEO, DeployHub

Join Tracy Ragan and Jodi Ashley on this bi-monthly show celebrating amazing technologists who just happen to be women.

Techstrong Women