As Zendesk’s Associate General Counsel, Patrick Lonergan was a quarterback of sorts for the organization’s open source software compliance efforts. He not only conducted reviews and oversight over license compliance processes, but also coordinated closely with developers to ensure the rapid remediation of any violations.
Given the scope of Zendesk’s development efforts — more than 1,000 repos, multiple CI/CD pipelines, and many tools and DevOps workflows executing numerous concurrent builds per day — Longergan’s role played a big part in the enterprise’s success.
Unfortunately, Lonergan was initially forced to do the job with an arm tied behind his back. That’s because Zendesk relied on a code scanning tool that made compliance something of a nightmare. It produced in the vicinity of 10,000 results per scan, which included false-positives and lacked context to help engineering teams triage and resolve issues.
“I didn't know how I was ever going to get through all those results,” Lonergan recalls. “It was impossible for a small team to review, understand what issues were relevant, and take action.”
Zendesk soon decided it was time for a change. The organization selected FOSSA, an SCA solution that integrates code scanning and licensing into all CI/CD pipelines, automates compliance workflows, accelerates remediation, and saves massive amounts of time across multiple teams.
“FOSSA told me exactly when there was an issue, what the issue was, and then I could work with the engineers on next steps,” Lonergan says. “It enabled us to deploy software at scale. We could keep doing what we were doing and feel that we were in compliance with all of our open source obligations.”
Since implementing FOSSA, Zendesk has enjoyed a reduction of more than 90% in engineering team time on resolving compliance issues and a 50% reduction in legal time spent managing compliance.
Relief for Legal Teams
Although open source license compliance was a critical part of Lonergan’s responsibilities at Zendesk, it’s far from the only function he managed. So it was quite problematic that, before FOSSA, Lonergan was forced to spend upwards of 20% of each week managing the company’s legacy scanning tool and compliance processes.
FOSSA cut that number in half, freeing Lonergan to devote more time to areas of Zendesk’s business that directly support revenue growth.
“FOSSA has saved me on average five or six hours a week,” Lonergan says. “It's allowed me to only spend a few hours a week doing things related to open source license compliance, which is great.”
“It's a one-time setup and then you're just off and running. It only reached out to me with an issue when it thought there was one.”
Lonergan was also better equipped to respond to requests from other teams at Zendesk for data, such as a bill of materials or any number of reports. FOSSA turned what was a major headache — building reports that document all types and layers of dependencies in a given library — into something that takes just a few clicks and a few minutes.
“A lot of times people will ask, ‘What are all the dependencies that we use on this project?’ I can easily generate those reports in FOSSA. I can go in and see where all the dependencies are and if it’s a transitive or direct dependency.”
Better Data, Tailored Results
No two development organizations have the exact same workflows, processes, and goals. But Zendesk’s legacy scanning tool applied a one-size-fits-all approach, which produced a massive result set that included many irrelevant flags.
“[The legacy tool conducted] a really in-depth, crazy scan where it gave us 10,000 results, and then we had to go through and check which result sets we actually cared about and clear the stuff that we weren’t concerned about,” Lonergan says.
In contrast, FOSSA’s customizable policy engine made it easy for Lonergan to tailor each scan to meet Zendesk’s needs.
“The policy-setting at FOSSA is the number-one reason I picked it,” Lonergan says. “I can tell FOSSA exactly what I care about, and it tells me when something is out of policy. I don't want to hear from the compliance tool unless I have an issue that I need to deal with. ”
If and when FOSSA does uncover compliance issues, it doesn’t just notify Zendesk that they exist. FOSSA also provides actionable insights that accelerate remediation, which paved the way for fruitful collaboration between Lonergan and his engineering colleagues. These insights included:
- The path through which dependencies/licenses were included in the code
- Specific projects that are affected by violations and potential violations
- Guidance on how best to remediate violations and potential violations
“FOSSA provides us with contextualized, easily actionable intelligence,” Lonergan says. ”It gives us the exact information I need so I can address any issues quickly and easily.”
Get the Full Story
Download the case study “Open Source Made Easy: How Zendesk Automated Workflows and Simplified Compliance” for more information on Zendesk’s new approach to open source license compliance. And feel free to get in touch to learn more about how FOSSA can support your team's license compliance initiatives.