NetRise has introduced NetRise Provenance, a new solution designed to uncover risks tied to contributors of open-source components within enterprise software and connected devices, as well as the extent of that risk across portfolios. Provenance enhances the NetRise Platform by adding a layer of trust and intelligence, delivering deeper insight into the Software Bill of Materials (SBOM).
For organizations that buy and operate software, NetRise Provenance adds a level of visibility into risk in the software supply chain that previously was opaque to procurement and third-party risk teams. Those teams now can see a variety of project health signals, including advisory relationships and how compromises propagate through dependency graphs, defining a blast radius from a malicious contributor.
For organizations that build and ship software, NetRise Provenance enables developers and product security teams to set policies to govern selection of open-source projects, automatically failing a build when dependencies cross a risk line.
āVirtually every major software supply chain story in recent years has been a trust problem as much as a vulnerability problem,ā said Thomas Pace, co-founder and CEO of NetRise. āBad actors gain the confidence of a community, become maintainers, misrepresent who is behind a project, and then push malicious code into widely-used packages. Enterprises then scramble to discover their exposure: When a compromised maintainer or project lives inside the software that runs critical operations across their business. NetRise Provenance replaces that guesswork with a clear view of the extent to which that contributorās code reaches.ā
NetRise Provenance is delivered as part of the NetRise Platform and through a developer friendly API, a command line interface (CLI), or github action. Key capabilities include:
- Unified with NetRiseās binary system of intelligence Overlay trust and provenance data on top of NetRiseās binary verified software asset inventory so buyers can connect who is behind a component with where it actually runs, how exploitable it is, and which products and devices need to be prioritized.
- Maintainer and organization attribution Map open source components to real maintainers and organizations, including country or local level footprint, so teams can apply internal policy, regulatory requirements, and ensure OFAC compliance requirements are met.
- Policy engine Feed SBOMs or container images into NetRise Provenance to enrich each package with advisories, contributor risk signals, and repository metadata. Apply simple policies that define what is unacceptable. Pass or fail exit codes let CI systems stop builds automatically when a dependency violates those rules, while reporting templates inform third-party risk and compliance teams.
- Blast radius and dependency analysis Use dependency and reverse dependency views to see where a maintainer, project, or repository appears across products, services, and vendors, so teams can scope incidents, sanctions, and policy changes in minutes and communicate to executives and regulators real impact.
- Trust and hygiene indicators Combine repository metadata, project policies, update cadence, advisory history, and other security practice indicators into an āat a glanceā view that highlights projects with unusual behavior, making it easier to separate risky from healthy dependencies.
āSoftware supply chain compromises are beginning to follow a disturbing pattern, āsaid Michael Scott, co-founder and CTO of NetRise. āA bad actor gains trust in one project, and their code silently spreads across thousands of dependency chains. The hard problem isn’t finding the compromise – it’s answering ‘where else does this person’s code end up and ultimately run in my environment?’ in minutes instead of weeks. We built Provenance to make that query instant. Starting from an SBOM, filesystem, or container image, we map every package back to its maintainers, their organizations, their locations, and their advisory history, including for binaries – then let teams set policy against it. The XZ Utils compromise was caught by accident. Provenance makes it where you no longer rely on luck.ā
āSoftware supply chains increasingly depend on open source, which raises the importance of understanding not only what is in an application, but also who maintains it and how maintainer risk is concentrated across projects,ā said Katie Norton, Research Manager, DevSecOps and Software Supply Chain Security at IDC. āContributor, organization, and geographic context layered onto dependency and SBOM data helps security and risk teams make clearer deployment decisions, respond faster to emerging threats, and target remediation toward the most exposed dependencies.ā
āNetRise started by revealing all components inside compiled software,ā added Pace. āWith Provenance, we are now giving builders and buyers a unified view of who is inside that software and how trust is concentrated in specific contributors and projects. This additional visibility allows teams to make proactive decisions that enhance the risk posture for product security teams, and increase resilience for third-party risk teams. This launch marks another milestone in NetRiseās journey to a software trust platform that connects code, people, and policy in one place.ā
NetRise Provenance is available as part of the NetRise Platform for enterprises, software and device makers, consultancies, and public sector organizations, and via API and CLI for developers who want to bring software trust decisions closer to where code is assembled.
Meet the NetRise team in San Francisco for the RSA Conference 2026 from 3/24 – 3/26.
For more information about NetRise Provenance, visit the website here.
Related News:
Azul and Chainguard Partner to Strengthen Security for Java Containers
Black Duck Navigating Software Supply Chain Risk Report Released
