Curated catalog of pre-vetted components
Developers pick from a vetted list rather than reaching into the public registry. The dependency surface narrows to libraries the program is willing to depend on.
OpenText • Application security
OpenText Core Open Source Select
Core Open Source Select is a curated open-source component catalog with pre-vetted dependency selection. It moves OSS governance from scan-time detection to sourcing-time control, screening libraries against vulnerability history, license clarity, and project hygiene before they enter the dependency tree.
When Merito stands up Core Open Source Select, the engagement defines the curated catalog scope, designs the catalog-restriction policy, and pairs it with Core SCA so the AppSec program runs sourcing-time curation alongside detection-time scanning rather than letting either run alone.
- Best for
- AppSec leaders adding sourcing-time OSS governance to the AppSec program, Engineering leaders enforcing OSS sourcing standards across the engineering org, AppSec architects designing curated-catalog policy and override workflow
- Hosting
- SaaS
- Time to value
- First catalog scope live in days. Catalog-restriction policy and override workflow live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
- Security posture
- GDPR, HIPAA-aligned design, SAML SSO
- Last reviewed
- 2026-04-26
What it is
OpenText Core Open Source Select in the enterprise stack
Core Open Source Select is the sourcing-time OSS curation product inside the OpenText AppSec line. Where Core SCA detects vulnerabilities and license risk in dependencies that are already in the build, Open Source Select runs upstream of that: a curated catalog of pre-vetted OSS components developers can pick from, with vulnerability history, license posture, project hygiene, and known-bad indicators evaluated before adoption. Programs that consume Open Source Select narrow the dependency surface to libraries the program is willing to depend on.
Comparison to Checkmarx Repository Health is fair. Both products operate in the sourcing-time governance space, scoring OSS projects before they enter the dependency tree. Open Source Select takes the curated-catalog shape (here is a vetted list, pick from it); Repository Health takes the scoring-engine shape (here is a score, gate against it). Programs picking Open Source Select are picking the catalog discipline; programs picking Repository Health are picking the score discipline. Both are valid and address the same risk from different angles.
The pairing with Core SCA is the load-bearing move on layered governance. Open Source Select narrows the front-end (what enters the dependency tree); Core SCA evaluates the back-end (what risk exists in dependencies that did enter). Programs running both run prevention plus detection; programs running only Core SCA do detection without prevention. The right shape depends on whether the program has the operational maturity to enforce sourcing decisions versus only react to detected risk.
What disrupts Open Source Select adoption is treating it as an OSS-license scanner. The product's value is the curation discipline: developers pick from a vetted catalog rather than reaching into the public registry directly. Programs that license Open Source Select but never restrict developers to the catalog get the catalog without the discipline, and the program does sourcing-time governance in name only. Merito's engagement defines the catalog-restriction policy, the override workflow for legitimate exceptions, and the developer enablement that turns the catalog into a real sourcing discipline.
Ideal use cases
- Curated OSS catalog for pre-vetted dependency selection
- Sourcing-time OSS governance complementing Core SCA detection
- Provenance-aware OSS sourcing for regulated and federal programs
- Pairing Open Source Select with Core SCA for layered prevention plus detection
- Migrating off ad-hoc OSS sourcing to a curated catalog with audit trail
What it is best at
Where OpenText Core Open Source Select earns its seat
Sourcing-time, not detection-time
Operates upstream of Core SCA. Programs that catch unhealthy dependencies before they enter the build spend a fraction of the operational effort that detection-only programs do.
Cross-correlation with Core SCA
Curation feeds into Core SCA detection so AppSec runs layered governance: prevention at sourcing, detection at scan time.
License and provenance discipline
Catalog evaluations include license clarity, attribution requirements, and project provenance. Programs subject to OSS-license audits get sourcing-side rigor.
Auditable override workflow
When a developer needs a library outside the catalog, the override workflow captures rationale, reviewer, and expiry. Sourcing decisions become defensible.
Core capabilities
OpenText Core Open Source Select capabilities, grouped by outcome
Catalog and curation
What Open Source Select actually delivers as a sourcing-time control.
Curated component catalog
Vetted list of OSS components developers can pick from, with vulnerability history, license posture, and project hygiene evaluated.
Project hygiene scoring
Maintenance frequency, contributor diversity, vulnerability response time, and provenance signals attached to each catalog entry.
License-clarity evaluation
License obligations, attribution requirements, and compatibility analysis on every catalog component.
Continuous re-evaluation
Catalog entries get re-evaluated as new CVEs surface, project signals shift, or licenses change. Stale entries get demoted.
Sourcing policy and gates
Turning the catalog into enforceable sourcing decisions.
Catalog-restriction policy
Configurable policy that restricts developers to the catalog for new dependencies. Existing dependencies grandfathered.
Override workflow with audit trail
When a developer needs a library outside the catalog, the override workflow captures rationale, reviewer, and expiry.
PR-time integration
Sourcing-policy enforcement at PR time when new dependencies appear in a manifest change.
Reporting and integration
Open Source Select output flowing into the AppSec backlog with the rest of the OpenText AppSec line.
Cross-product correlation with Core SCA
Catalog selection feeds Core SCA detection for layered prevention-plus-detection governance.
Compliance reporting
Audit-ready evidence for OSS-provenance requirements in federal, healthcare, and financial-services programs.
GRC and OSS-license-management integration
Catalog and override data flowed into internal GRC platforms.
Where it fits in the stack
How OpenText Core Open Source Select connects to the rest of your landscape
OpenText AppSec line (native)
Native- OpenText Core Software Composition AnalysisCatalog selection feeds Core SCA detection for layered governance.
- OpenText Core Application SecuritySourcing data flows into the unified AppSec backlog.
- OpenText Application Security AviatorAviator can suggest catalog-compatible alternatives when a developer requests an off-catalog library.
Developer ecosystems (certified)
Certified- npm, PyPI, Maven Central, NuGet, Go, Cargo, Gem, ComposerCatalog coverage across the major package ecosystems.
- Jenkins, GitHub Actions, GitLab CI, Azure DevOps, Bitbucket PipelinesPR-time sourcing-policy enforcement inside the customer's CI fabric.
- GitHub, GitLab, Bitbucket, Azure DevOps ReposSource-control review surfaces show catalog status on pull-request comments.
- Jira, Azure Boards, ServiceNowOverride-workflow events flow into ticketing for audit-trail review.
Custom integrations
Custom- Internal sourcing review boardsIntegration with internal OSS-sourcing-review committees and approval workflows.
- GRC and OSS-license reportingCatalog and override data flowed into internal GRC and OSS-license-management systems.
- Custom catalog scoping per business unitDifferent catalog scopes for different business units or risk tiers.
Deployment and implementation
How it rolls out
- Hosting
- SaaS (North America, EMEA, APJ)
- Implementation complexity
- Moderate
- Typical time to value
- First catalog scope live in days. Catalog-restriction policy and override workflow live in two to four weeks. Enterprise rollout across portfolio typically runs three to six months.
- Prerequisites
- Inventory of currently-used OSS dependencies for grandfathering
- Named DevSecOps or AppSec policy owner
- Override-workflow operating model designed
- Risk-tier definitions (customer-facing vs. internal tooling)
- CI/CD integration plan for sourcing-policy enforcement
- What Merito usually handles
- Open Source Select runs as SaaS alongside Core Application Security. Merito handles catalog scoping, catalog-restriction policy design, override workflow setup, and CI/CD integration that turns the catalog into a real sourcing discipline.
Licensing and packaging
How it is bought
- Model
- Subscription
- What to expect
- OpenText Core Open Source Select is SaaS-licensed by application count, repository count, and catalog scope. Pricing depends on catalog breadth and bundle. Merito quotes the license alongside the catalog-design engagement.
- Editions and modules
Core Open Source Select
Standard SaaS curated-catalog edition.
Best for: Programs adding sourcing-time OSS governance to an existing AppSec footprint.
Core Open Source Select with Core SCA
Bundled with Core SCA for layered sourcing-plus-detection governance.
Best for: Programs running both prevention and detection on OSS risk.
- Common expansion areas
- Add Core Software Composition Analysis for layered detection on dependencies that did enter the tree
- Add Core Application Security to unify with SAST and DAST
- Add Application Security Aviator for AI-suggested catalog-compatible alternatives
- Custom catalog scoping per business unit
Merito services
How Merito helps you win with OpenText Core Open Source Select
Merito sells licenses and the delivery work around them. Pick the service that matches where you are in the lifecycle.
01
Open Source Select Implementation
Catalog scoping, catalog-restriction policy design, override workflow setup, CI/CD integration.
Explore service02MAPS Assessment
OSS sourcing governance scoping for Open Source Select alongside Checkmarx Repository Health and OSSF Scorecard.
Explore service03DevOps Consulting
Sourcing-policy enforcement integrated into PR-time CI and source-control review.
Explore service04CRAFT Enablement
Developer enablement around curated-catalog discipline and override accountability.
Explore service05Premium Support
Named engineer, priority SLAs, and release-time coverage for Open Source Select.
Explore service06Managed Services
Long-term run support including catalog-policy maintenance, override-workflow operation, and reporting evolution.
Explore service07Training and Enablement
Role-based training for AppSec architects, DevSecOps owners, and engineering leads.
Explore service08Staff Augmentation
Merito-placed AppSec engineers and OpenText specialists embedded on long-running programs.
Explore serviceOpenText Core Open Source Select licensing
License the catalog. Design the restriction policy. One engagement.
Open Source Select pricing arrives with catalog scoping, catalog-restriction policy design, override-workflow setup, and CI/CD integration that turn sourcing-time curation into enforceable governance rather than a recommendation engine nobody enforces.
Merito point of view
Sourcing-time prevention plus detection-time scanning is the layered shape that pays back.
Merito has audited OSS programs that ran rigorous Core SCA detection and never asked which dependencies were entering the tree in the first place. The result is a triage queue that grows faster than it drains. Open Source Select inverts the math by curating the front end: developers pick from a vetted catalog, the dependency surface narrows, and the SCA backlog reflects a smaller, defensible set of libraries.
Merito recommends Open Source Select specifically when the program has the operational maturity to enforce a curated catalog, when regulated workloads require provenance evidence at sourcing time, and when developer enablement is in scope. For programs without the operational maturity to restrict developers to a catalog, Open Source Select still works as a recommendation engine but the discipline is muted. Merito surfaces that during scoping rather than overselling sourcing governance the program will not enforce.
Comparison to Checkmarx Repository Health is honest. Open Source Select takes the curated-catalog shape; Repository Health takes the scoring-engine shape. Same problem from different angles. Programs running OpenText AppSec consolidate on Open Source Select; programs running Checkmarx One consolidate on Repository Health. Both are valid sourcing-time governance.
What buyers usually underestimate
- Adopting Open Source Select without enforcing the catalog-restriction policy, getting the catalog without the discipline.
- Skipping override-workflow design, so the catalog becomes either a permanent blocker or a rubber stamp.
- Treating Open Source Select as a replacement for Core SCA rather than a complement.
- Failing to grandfather existing dependencies, generating a flood of warnings on libraries the program already runs.
- Comparing Open Source Select to Repository Health on price alone without accounting for the operational shape difference.
Related from Merito
Continue exploring OpenText Core Open Source Select on Merito
Related solutions
Related services
Related products
- OpenText Core Software Composition AnalysisDetection-time SCA companion that pairs with sourcing-time catalog curation.
- OpenText Core Application SecuritySaaS-unified bundle for the rest of the AppSec line.
- OpenText Application Security AviatorAI-suggested catalog-compatible alternatives.
- OpenText Cybersecurity (vendor portfolio)Full OpenText Cybersecurity catalog across AppSec, IAM, SecOps, Data Security, and DFIR.
Frequently Asked Questions
OpenText Core Open Source Select FAQs
Consultation request
Talk to Merito about OpenText Core Open Source Select
Share your OSS sourcing posture and your catalog-discipline ambitions. A Merito OpenText specialist follows up within one business day.
Sourcing-time
Curate before adopting
Pre-vetted catalog of OSS components. Programs narrow the dependency surface to libraries they are willing to depend on.
Layered with Core SCA
Prevention plus detection
Open Source Select narrows the front-end; Core SCA evaluates the back-end. Detection without prevention is a triage queue that grows.
Next step
Curate the catalog before the dependency enters the tree.
A Merito Open Source Select engagement starts with catalog scoping and catalog-restriction policy. Sourcing-time prevention is an order of magnitude cheaper than detection-time triage.