close search bar

Sorry, not available in this language yet

close language selection

Introducing Black Duck CoPilot

Patrick Carey

Jun 12, 2017 / 3 min read

Today we’re happy to announce the release of Black Duck CoPilot by Synopsys, a new cloud service that helps open source project teams catalog and report on their project’s dependencies and vulnerabilities.

What is CoPilot and what does it do?

Black Duck CoPilot is FREE for open source developers who use (the #1 open source repository in the world today) as the repository for their projects. It connects to your GitHub repositories and provides you with security risk information for your open source project’s dependencies (i.e. the open source components used to build your project).

A completely cloud-based service, CoPilot is an easy, integrated, light-weight way to view security vulnerabilities in your open source projects. Once you connect CoPilot and build your project, you get a list of components, associated vulnerabilities (CVEs), as well as recommendations for adjacent vulnerability-free versions you can use if the components you are using have security issues.

co pilot

You may already be using GitHub badges as a way to communicate information about your project, like testing coverage and license type. With CoPilot, you can also post a Black Duck “security status badge” on your project’s GitHub page to show the results of the Black Duck security analysis.

co pilot badge

This badge helps you show potential users of your project that you take security seriously and that they can trust that your project won’t introduce vulnerabilities into their code. In turn, it helps those users pick the best quality components.

CoPilot – The supply-side complement to Black Duck Hub

Since 2004, Black Duck’s mission has been to help organizations get the most out of open source by giving them solutions that help them manage and, if possible, avoid the security, license, and quality risks that can come with it. We believe that when teams take control of these risks, open source thrives. Black Duck Hub gives these organizations (open source consumers) a sophisticated and automated solution that allows them to secure virtually any application or container codebase, across the entire development lifecycle, at any scale.

CoPilot complements Hub by giving open source producers a solution that helps them produce better quality components and communicate that to open source consumers — and that benefits everybody. However, CoPilot is not intended to be the full open source management solution that Hub is, and its functionality is a subset of Hub. The table below provides more detail on the specific feature differences between the two.




Codebase Support

Wide support for virtually any codebase or container image in any repository or storage location.

Support for open source codebases on

Open Source Discovery

Broad component discovery and language support using multi-factor discovery, combining source and binary scanning, package inspection, and build output analysis.

Component discovery based on package manifest information in projects built with the following build and CI tools.

Build Tools

  • Gradle
  • Maven
  • Scala Build Tool
  • NuGet
  • pip

CI Systems

  • Travis CI
  • Circle CI
  • AppVeyor

Vulnerability Data

Enhanced Vulnerability Data that extends the CVE data in NVD with independently researched vulnerability information. Provides more vulnerabilities, same-data notification, and deeper remediation guidance than NVD.

NVD CVE data only.

BOM Vulnerability Updates

Continuously updated. No need to re-scan or build to see latest vulnerabilities.

Updates when the project is rebuilt.

New Vulnerability Alerts



View Risks Across Multiple Projects



License Compliance Features



Policy Management Features



Integration Across DevOps Tool Chain

Yes – integrates in a wide variety of IDEs, build/CI tools, binary repositories, container platforms, and other DevOps tools. View the full list here.

Limited to GitHub and build/CI tools listed above.

Get started today!

If you are an open source developer with projects on you can get started today by visiting We look forward to getting your feedback on this new offering.

Continue Reading

Explore Topics