And understanding why that distinction matters is the difference between governing your software supply chain and assuming someone else already did.

If you use JFrog Artifactory, there is a reasonable chance you have run across both of these names recently: JFrog Curation and ActiveState Curated Catalog. Similar words. Very different places in your software supply chain. The confusion between them is not academic. If your team assumes they solve the same problem, one of them does not get deployed, and the gap that remains is exactly where the risk hides. 

This is not a competitive story. JFrog Curation and ActiveState Curated Catalog are not alternatives. They operate at different layers of your software supply chain, they solve different problems, and when both are in place, they form a defense that neither provides alone.

Here is how they actually work, where each one starts, and why the distinction between policy and source is the one your security team needs to understand before your next AI-generated dependency makes that decision for you.

Key Takeaways: 

  • JFrog Curation and ActiveState Curated Catalog solve different problems at different layers of your software supply chain. JFrog Curation governs policy at the point of distribution. ActiveState Curated Catalog delivers secure, built-from-source open source components, upstream, before it ever reaches Artifactory.
  • Together, they close the loop: ActiveState controls the source, JFrog controls the flow, and your developers and AI agents pull from verified, policy-governed components by default. Either solution alone leaves part of the chain unaddressed.
  • While scanners are a required part of the tech stack for software development, that’s no longer the gold standard for determining your security posture. Documented, verifiable, contractually backed provenance is. That is what this stack delivers.

What JFrog Curation Does

JFrog Curation operates as the first line of defense in securing an organization’s software supply chain, operating at the package acquisition stage to prevent risky dependencies from entering repositories before they’re even used in development, testing, or production. When a developer or AI coding assistant requests an open source package, Curation intercepts that request at the Artifactory layer and evaluates it against the security policies your team has defined. Packages flagged for known CVEs, license violations, or other policy criteria can be blocked before they reach the developer.

That is a meaningful control. Centralizing artifact management through Artifactory and adding policy enforcement at that layer is a defensible security posture. Your team defines the rules. Curation enforces them at the point of consumption.

The question Curation does not answer is: what is the package made of, and how was it built? Curation evaluates packages that already exist. It does not control how they were constructed, whether their build environment was compromised, or whether the source code they were compiled from matches what the maintainer intended to publish. That is not a criticism of Curation. It is a scope definition. Curation governs policy at distribution. It does not govern provenance at origin.

Policy enforcement at the point of distribution is necessary. It is not sufficient. Security has to start earlier than that.

What ActiveState Curated Catalog Does

ActiveState Curated Catalog operates upstream of JFrog Curation. Before any package is ever evaluated by your policy rules, ActiveState has already controlled what that package is made of.

Every component in the ActiveState Curated Catalog is built from source in a SLSA Level 3 environment. That means ActiveState pulls the original source code, compiles it in a secure, auditable build environment, and produces a binary that can be cryptographically verified back to its origin. No pre-built binaries of unknown provenance. No inherited trust in what a third-party maintainer published to PyPI or npm. The artifact your developer receives is one ActiveState built, attested, and can account for.

Every component in the ActiveState Curated Catalog is:

  • Scanned for CVEs and malware before it enters the library.
  • Built from source in SLSA Level 3 infrastructure with full build-level provenance attached to every artifact.
  • Continuously monitored and remediated when community-approved fixes are available, under contractual SLAs: 5 business days for critical CVEs, 10 for highs, 30 for all others.
  • Blocked and quarantined at the library level if identified as malicious, before it ever reaches your Artifactory instance or your developers.

The Curated Catalog integrates natively with JFrog Artifactory. Instead of Artifactory proxying PyPI, npm, or Maven Central, it proxies the ActiveState library. Developers still use pip, npm, Maven, or whatever package manager their project calls for. The request still goes to Artifactory. What resolves on the other end is a component ActiveState built and verified, not whatever the public registry happened to be serving that morning.

Policy vs. Source: Why the Distinction Matters

JFrog Curation answers the question: does this package meet our policy? ActiveState answers the question: is this package actually what it claims to be?

Both questions matter. Neither answer substitutes for the other.

A package can pass every policy rule in JFrog Curation and still contain a compromised build. If an upstream maintainer’s release pipeline was infiltrated, the published binary on PyPI reflects that compromise. Curation evaluates the package’s metadata and known vulnerability data. It does not re-examine how the binary was produced.

Conversely, ActiveState controls the build and the provenance, but your organization still needs the policy layer Curation provides. Which components are approved for use? Which licenses are acceptable? Which packages are too risky regardless of build integrity? Those are governance decisions that belong in JFrog Curation, sitting at the distribution layer where your team can set and enforce them.

Source integrity without policy enforcement leaves decisions to developers. Policy enforcement without source integrity leaves trust in the hands of public registry maintainers. Your software supply chain needs both.

When ActiveState Curated Catalog feeds JFrog Artifactory, and JFrog Curation applies your policy rules to what flows through it, you have addressed both questions. The components entering your environment were built by ActiveState from a verified source. The components reaching your developers have passed your organization’s policy gate. That is a complete loop. Either solution alone is not.

Where This Gets Urgent: AI Code Generation

The reason this distinction matters more now than it did 2 years ago is AI code generation.

AI coding assistants do not consult CVE databases. They do not evaluate build provenance or maintainer reputation. They optimize for speed and functional fit. When an AI agent generates a Python script and suggests a dependency, it is looking for a package that satisfies the functional requirement. It is not asking whether that package was built in a verifiable environment or whether the release pipeline was intact when it was published.

With developers using AI coding assistants, your open source dependency graph is compounding at machine speed. The industry average time to remediate a critical CVE is 60+ days. In an AI-assisted development environment, the attack surface created in 60 days is not comparable to what it was when developers were pulling dependencies manually.

JFrog Curation intercepts AI-generated dependency requests at the distribution layer and applies your policy rules. That is the right control at that layer. But if Artifactory is proxying a public registry, the package Curation is evaluating was still produced by a build process neither your team nor JFrog controls.

When ActiveState Curated Catalog is upstream, the AI agent’s request resolves to a component ActiveState built from source. Curation then applies your policy rules to a package with verified provenance. Both controls are operating. Neither is compensating for the absence of the other.

AI-generated code is moving faster than any human team can manually vet. The only governance model that keeps pace is one that operates at the source and at the point of consumption simultaneously.

What the Full Stack Looks Like

When ActiveState Curated Catalog and JFrog Artifactory are deployed together, your open source software security model looks like this:

  • ActiveState builds from source. Every component in the Curated Catalog is compiled in a SLSA Level 3 environment, scanned, and attested. Malicious packages never enter the library.
  • ActiveState feeds Artifactory. The Curated Catalog integrates natively as the upstream source for your Artifactory virtual repositories. Developers and AI agents pull from a governed, verified source instead of a public registry.
  • JFrog Curation enforces your policy. Curation evaluates what flows through Artifactory against your organization’s security and license policies. Components that do not meet your standards do not reach developers.
  • ActiveState remediates continuously. When a new CVE is discovered or a community fix is released, ActiveState rebuilds the affected component from source and delivers the updated version through the same pipeline. Your SLA is 5 business days for critical CVEs, not the industry average of 60 days.
  • Every artifact ships with full provenance. Every component that reaches your developers carries an immutable record of what it is, where it came from, and when it was last verified. Audit readiness is a default, not a last-minute scramble.

Your security team sets policy. ActiveState controls the source. JFrog controls the flow. Developers get what they need without friction. AI agents draw from verified components by default. And when the board asks how a vulnerable package made it into production, the answer is that it did not, because both controls were in place.

The Board-Level Question

When a breach occurs and regulators or your board ask how an unvetted open source component made it into production, two answers are available to you.

The first: we had a scanner, and we had policy rules. We evaluated packages at the distribution layer. We did not control how they were built.

The second: every component that entered our environment was built from verified source by ActiveState. Every component that reached our developers passed our policy rules in JFrog Curation. Every critical CVE was remediated within 5 business days. Our AI agents pulled from governed, approved sources. We have the provenance and the audit trail to prove all of it.

In the 2026 regulatory environment, the first answer is not a sufficient legal defense. The second one is.

That is what JFrog Curation and ActiveState Curated Catalog deliver together: not just better tooling, but a documented, verifiable, contractually backed open source software security posture. One that protects your organization and, when it matters most, protects you personally.

Two Products. One Complete Software Supply Chain.

JFrog Curation and ActiveState Curated Catalog are not the same thing. They were never meant to be. One governs what your developers can access. The other controls the known-good components that should even be available as options. Together, they cover a good portion of your software supply chain from the point of origin to the developer’s machine.

If you are running JFrog Artifactory today and relying on public registries as your upstream source, you have the distribution layer covered. The source layer is still open.

That is the gap ActiveState was built to close.

To see how ActiveState Curated Catalog integrates with your JFrog Artifactory deployment, schedule a demo with us.

Frequently Asked Questions

JFrog Curation evaluates packages against your policy rules at the distribution layer. It tells you whether a package meets your standards. It does not control how that package was built or whether the build environment that produced it was compromised. ActiveState Curated Catalog is the upstream layer: every component is built from source by ActiveState in a SLSA Level 3 environment before it ever reaches Artifactory. Curation then applies your policy rules to a package with verified provenance. One without the other leaves either the source layer or the policy layer unaddressed.

No. The Curated Catalog integrates natively with JFrog Artifactory as the upstream source for your virtual repositories. Developers continue using the same package managers they already use: pip, npm, Maven, and others. The request still goes to Artifactory. What resolves on the other end is a component ActiveState built and verified instead of whatever the public registry happened to be serving. No new tooling. No new portals. No workflow changes.

The ActiveState library covers 79 million components across 12 major language ecosystems, including Python, Java, C#, C++, Go, Rust, R, and Perl, with full transitive and OS-level dependency coverage. If your development environment extends beyond a single language ecosystem, that breadth matters. A solution that covers only one language leaves the rest of your stack exposed.

AI coding assistants do not evaluate build provenance, maintainer reputation, or CVE status. They optimize for functional fit. If your Artifactory instance is proxying a public registry, an AI-generated dependency request resolves to whatever that registry serves. When ActiveState Curated Catalog is upstream, the AI agent's request resolves to a component ActiveState built from source. JFrog Curation then applies your policy rules to that component. The governance is embedded at the point of consumption, which is the only place it can realistically keep pace with AI-generated code volume.

ActiveState monitors every component in the Curated Catalog continuously. When a new CVE is identified or a community-approved fix is released, ActiveState rebuilds the affected component from source in its SLSA Level 3 environment and delivers the updated version through the same pipeline your team already uses. The contractual SLAs are 5 business days for critical CVEs, 10 for highs, and 30 for all others. The industry average time to remediate a critical CVE is 60 days. Your team does not manage the rebuild cycle. ActiveState does.