Modernizing Open Source Management with Continuous Compliance

Featuring: Patrick Lonergan, Associate General Counsel - Intellectual Property

How SmartThings runs IoT open source compliance across dozens of releases per day

Zendesk customer service and engagement products are powerful and flexible, and scale to meet the needs of any business. Zendesk serves businesses across hundreds of industries, and the company is always working to create new and better solutions for its customers. Zendesk needed to respond to an intensifying problem: legacy open source management tools and processes that were unable to keep pace with the increasing use of open source software components by a growing number of development teams. Looking to modernize, Zendesk turned to FOSSA for its open source compliance needs by embedding Continuous Compliance into the development process itself, streamlining workflows for its legal and engineering teams alike.

The Challenge

With 1,000+ repos, multiple CI/CD pipelines, and multiple CI/CD tools that execute numerous concurrent builds per day, Zendesk needed an open source management solution that could grow with the needs of the business without overtaxing the legal and engineering teams. The legacy solution in place was built for a time when software development consisted of periodic releases and limited open source usage. As a result, their legacy system produced a massive result set with copious false positives that required significant engineering and legal time to review.

With our legacy solutions, every scan spit out so many results it was impossible for a small team to review, understand what issues were relevant, and take action. FOSSA provides the exact information I need so I can address any issues quickly and easily

The Solution: Continuous Compliance

Zendesk needed a comprehensive, real-time approach to open source license compliance. Designed specifically for modern CI/CD development, FOSSA provided the solution in the form of Continuous Compliance.

Integrated with Zendesk’s CI/CD tools FOSSA utilizes code dependency scanning across both repositories in Github and build servers to catalog all open source components and associated licenses before deployment, shifting left and automating compliance workflows.

In an environment where slowing down wasn’t an option, FOSSA was brought in to get a working process within days that covered every part of development without getting in the way.

FOSSA enabled new, collaborative workflows across our Engineering and Legal teams that weren’t possible with our legacy tools and processes.

The Results

FOSSA’s on-demand database and issue management capabilities enable Zendesk’s engineering and legal teams to seamlessly collaborate throughout the development lifecycle to maintain open source compliance. According to Patrick, “With FOSSA, I use 99% less of my engineering team’s time and only require their support on issues that matter.” This is enabled in two ways: first, by integrating directly with existing CI/CD tools used by Zendesk’s engineering team; and second, by providing purpose-built interactive workflows for the legal team in the FOSSA UI. Together, these provide the dual benefit of improved developer efficiency while allowing a small legal team to support hundreds of developers across hundreds of projects.