Inside the 2025 Trusted Open Source Report

Michael Miller · 2026-04-02

Hey there. Let's talk about something that's probably on your mind a lot if you're working with software today: open source. It's everywhere, right? It's the foundation of so much of what we build. But here's the thing—it can feel a bit like the wild west sometimes. That's why, back in December 2025, we decided to pull back the curtain. We published our first-ever State of Trusted Open Source report. It wasn't just a bunch of fancy charts for the sake of it. We wanted to get real about what's actually happening out there. We dug deep into our own product data and anonymized insights from our customer base. The goal was simple: to understand how teams are *really* consuming open source. Not in theory, but in practice. ### What We Actually Looked At We didn't just glance at a few downloads. We looked at the whole ecosystem. Think about everything that goes into a modern application: - Container image projects and their specific versions - The actual images teams are pulling to run their services - Language libraries across different programming stacks - Build processes and dependencies It's a massive, interconnected web. And seeing it all laid out was... illuminating, to say the least.  ### The Day-to-Day Reality for Teams So, what did we find? The report sheds a bright light on the daily grind. It shows you what software teams are pulling from repositories, what they're deploying into production environments, and crucially, what they're spending their time maintaining. Because let's be honest, maintenance isn't the glamorous part. But it's the part that keeps the lights on. It's the security patches, the version updates, the dependency checks. It's the work that happens in the background so the exciting, front-facing features can even exist. And then there's the other side of the coin: vulnerabilities. The report doesn't shy away from this. It looks at the security landscape alongside the consumption patterns. It connects the dots between what's being used and the potential risks that come with it. One quote from an engineering lead we spoke to really stuck with me: > "We don't just need to know what's in our software. We need to know why it's there, who put it there, and what we're supposed to do when it breaks." That's the heart of it. It's about moving from a reactive stance to a proactive one. The data in the report helps paint a picture of that journey. ### Why This Matters for You You might be wondering, "Okay, but what's in it for me?" Well, if you're making decisions about software—whether you're an architect, a team lead, or a developer—this kind of insight is pure gold. It helps you benchmark your own practices. Are you pulling in more outdated libraries than the average team? Is your container strategy aligned with where the industry is heading? Are you aware of the specific vulnerability trends affecting your tech stack? This isn't about creating fear. It's about building awareness. When you understand the landscape, you can make better choices. You can prioritize your tech debt paydown. You can advocate for more secure foundations with real, hard data. Think of it like a map. The open source world is vast and can be tricky to navigate. This report is like having a detailed map that shows not just the roads, but also the terrain, the weather patterns, and the potential obstacles ahead. It allows you to plan a smarter route, rather than just hoping you end up in the right place. ### The Big Takeaway At the end of the day, trust in open source isn't a given. It's earned. It's built through transparency, through understanding, and through diligent management. This report is a step toward that. It's a snapshot of the state of play, warts and all. The hope is that by sharing what we've learned, we can all build more resilient, secure, and trustworthy software. Because that's what our users, and our businesses, ultimately depend on. It's not just about the code we write; it's about the entire ecosystem we choose to participate in and how we choose to steward it.