Metaport

Releasing a semi-stable version is always a little nerve-wracking, but it's out there now! Here's May's edition of the Metaport Report: https://metaport.kit.com/posts/are-you-ready-for-metaport-1-0-0-rc1-2

Metaport was originally conceived of in agent-based scenarios: Developers install a language-specific plugin; .Net, PHP, Python, or NodeJS, and the agent reports end-of-life and security vulnerabilities to the Metaport Server. However, after talking to several agencies about their own needs, it seems many stumbled on agent use citing C&A and network security hurdles. Therefore, as of last week, Metaport supports data ingest from Github and Gitlab which allows software components to be discovered from Terraform and Helm config files. The full range of software components able to be analysed in Metaport is over 5000 and comprises; Frameworks, Databases, Webservers, Hosts (OS), and Runtimes.

This morning (New Zealand time!) we sent out this month's newsletter which you can read here: https://createsend.com/t/y-9E4E16EFCAE117452540EF23F30FEDED which asks "Are your customers' websites any better maintained than last month? How about last year?" It features: * The scourge of AI-produced ShadowIT (and what to do about it *cough* try Metaport *cough*) * Progress on agent-less data ingest * Changing our messaging - a bit

It means struggle, that's what! When does end-of-support (EOS) meet end-of-life (EOL)? What do both mean for businesses and for customers? https://blog.metaport.sh/p/software-end-of-life-vs-end-of-support

As an agency, having a birds-eye view of your managed apps and sites is gold. The ability to search them for insecure and EOL components is the icing on the cake. But how does data "get in there"? Similar to traditional AppSec tools, Metaport was designed around agents. But we've discovered from our prospects that there's internal pushback on network security grounds for this approach. So we're upping our game and making it even easier to connect production sites and apps to Metaport by pointing it at your Github, Gitlab, and Bitbucket instances. Agents aren't going away, but if repos contain IaC, then that's all Metaport needs.

Having talked to digital agencies extensively, our research tells us that agencies really want to level-up their maintenance reporting and planning. Many are in the fourth and fifth stages of awareness (Solution Awareness and Product Awareness), which means one of two things: 1. Agencies are going to market for products which fill a need. 2. Agencies are rolling their own and calling it a day. In this piece, we explain why in doing 2, agencies will ultimately end up back at 1 in a year or so. In other words, managing your own is a false economy. We'd love to know what you think. https://blog.metaport.sh/p/should-agencies-build-their-own-website

You're on a customer call armed with metrics and stats. But who needed to prep the data for you and how long did it take them? As an account or project manager, what if you just clicked a button to generate a report for you? It would: * Show health standing: "On Track", "Needs Attention", and "At Risk" * Use executive language: Frames website health in customer's terms * Present recommendations: Next steps, when issues are discovered The latest Metaport blog post describes how agencies win by bringing customers with them on the maintenance journey, using website health reports to do it. https://blog.metaport.sh/p/why-health-checks-arent-negotiable

How proactive is your maintenance? Take the agency survey and tell us how you do it: https://getmetaport.com/survey.

We're proud to announce Metaport's new Application Health Report feature! The report is intended for agencies to make informed maintenance decisions about their customers' managed applications. The report shows EOL component expiry dates, SSL certificate expiry dates, and security vulnerability severities. It also shows how the application will be rated in the near future - a real boon for those responsible for planning in your agency. Download an example here: http://getmetaport.com/doc/resources/metaport-health-report-example.pdf See at-a-glance: A health rating (guides urgency/prioritization) Executive summary Maintenance Summary Recommendations Summary

In today's digital age, it’s a given that software and web development agencies of all sizes can deliver valuable solutions to their customers. However, even with the latest technology - AI driven or human - agencies still struggle with what happens after a project is completed. This leads to serious and hidden problems, unexpected costs, and a higher risk of customer churn. The maintenance phase of a software project is cited as being the longest and most expensive part of its lifecycle, with maintenance costs rising, the older the software. But when agencies are similar in terms of quality and price, what sets them apart? This paper looks at the business side of software development in an agency context. It explores how a reactive approach to maintenance hurts agency bottom lines and its relationships with customers. It presents a data-driven approach to turning maintenance into a strength rather than leaving it as a weakness. https://getmetaport.com/doc/resources/the-case-for-metaport.pdf

Web-development agencies suffer problems like any other org. But how many stem from poor portfolio visibility? In this post we argue that without good portfolio visibility, agencies are hampering their own success. https://blog.metaport.sh/p/whats-an-application-portfolio-and

Back in 2021, Chrome browser began defaulting to HTTPS connections. In 2022 opt-in "Always Use Secure Connection" was introduced. Now, in October 2026, that same setting becomes the default. Chrome has the power to change behaviour and there are parallels for software delivery agencies: By expending just a little more effort to engage customers in security & maintenance conversations - earlier. https://blog.metaport.sh/p/why-do-agencies-find-it-so-hard-to

Why SCA, SAST, and SBOMs don't equal EOL planning for digital agencies: https://blog.metaport.sh/p/why-sca-sast-and-sboms-dont-equal

As at January 2026, Metaport now supports .Net apps in addition to Python, PHP, and NodeJS. Take a look at the official agent docs for how to send telemetry to Metaport from an agent: Coming soon is the ability to streamline application on-boarding by removing the need for installing an agent into production apps altogether. We're also producing some great content for digital agencies. So until our next feature announcement, have a squiz at these great resources: > The Agency EOL Guide: https://getmetaport.com/doc/resources/metaport-eol-survival-guide.pdf > EOL Agency Best Practice: https://blog.metaport.sh/p/end-of-life-software-best-practices > The Metaport Report: News from the website maintenance trenches: https://confirmsubscription.com/h/y/C8098BBB7726E89E

Our survey data tells us dev-shops make solid use of developer tools like Renovate and Dependabot. Well, besides going through the backlog and nailing a ton of issues, we've also added Dependabot support. Metaport can now source its dependency and vulnerability data from agents, an instance of DependencyTrack and now Dependabot. Dependabot is only available to SaaS customers once the SaaS is live. Do you want to know when the SaaS will be available? Just head to the pricing section at https://getmetaport.com/ and hit the "Get Started" button.