For years, security and engineering leaders have been forced to choose between two extremes: allow developers “wild west” access to public registries to maintain speed, or impose rigid, manual review processes that grind innovation to a halt.

Until now. 

Today, we are changing that. We are thrilled to announce the launch of the ActiveState Curated Catalog – a private, vetted repository of open source components that allows your teams to build safely from the start, without scouring the open internet.

Curated Catalog Key Takeaways

  • The current process of allowing developers to pull open source packages and containers from the open internet is inherently risky to your security posture. Unmanaged open source – including dependencies – is a key attack vector. 
  • Companies can prevent unwanted CVEs by implementing a curated catalog; a pre-vetted repository of secure-by-default open source, so you can build software securely from the start. 
  • ActiveState’s Curated Catalog works seamlessly with existing development processes, injecting secure open source into workflows and tools your developers already use, such as artifact repositories. 
  • Curated catalogs help DevSecOps teams reclaim developer time and companies improve security posture.

Why Curation is No Longer Optional

Modern software is built on code your developers didn’t write. While open source accelerates innovation, unmanaged dependencies have become the primary vector for supply chain attacks and legal exposure. With over 90% of applications containing outdated or unmaintained components, the “scan and patch” model is failing. Leaders need a way to move security further upstream, transforming open source security from a reactive hurdle into a proactive advantage.

What is the ActiveState Curated Catalog?

The ActiveState Curated Catalog is a filtered, premium collection containing only the open source components your teams need, along with their verified dependencies. It acts as a single source of truth for your organization. By replacing public registries (like PyPI, Maven, or npm) with a secure ActiveState URL, you provide your team with a pre-vetted toolkit that works seamlessly with your existing CI/CD pipelines.

Key Features of the ActiveState Curated Catalog

  • Vetted Repository Access: A private collection of components that have already passed security, compliance, and quality gates.
  • Seamless Compatibility with Existing Tools and Workflows: Works with popular repositories like JFrog Artifactory, Sonatype Nexus, and AWS CodeArtifact so your developers don’t need to adjust their current way of operating.  
  • Built From Source: We manage the build pipeline. Every component is built from source on our secure SLSA level 3 build infrastructure.
  • Component-Level Security Feed: Receive daily intelligence updates on every component in your stack, alerting you only when it matters.
  • Continuous Remediation: When the community releases a fix, we automatically rebuild the component and publish it to your catalog, within an industry-leading SLA (5 business days for critical, 10 business days for high CVEs).
  • Multi-Language Ecosystems: Support for Python, Java, JavaScript, R, and more, all managed within a single operational framework.

Key Benefits: Strategic Outcomes for Your Business

  • Reclaim Engineering Time: Save 4-8 hours per developer for every CVE avoided. By preventing late-stage security fires, teams stay focused on shipping features.
  • Strengthen Supply Chain Integrity: Achieve near 100% protection from attacks at the build and distribution levels.
  • Seamless Governance: Standardize versioning and licensing rules across the entire organization without forcing developers to learn new tools.

Ready to Secure Your Supply Chain?

Stop chasing CVEs and start preventing them. Empower your engineers to build with the best of open source, backed by the trust and expertise of ActiveState.

Contact Us Today to See the Curated Catalog in Action

FAQs

The Curated Catalog is designed to slide into your current workflow. It works natively with artifact managers like JFrog Artifactory, Sonatype Nexus, and AWS CodeArtifact, acting as a trusted upstream source.

Quite the opposite. Developers continue using their native package managers (pip, npm, etc.). Because the components are pre-vetted, they spend less time waiting for manual security approvals and less time on emergency CVE cleanup.

The catalog supports 12 language ecosystems, including Python, Java, JavaScript, C Libraries, and R, providing a unified solution for engineering teams using multiple open source languages.

ActiveState operates under strict SLAs for managed components: 5 business days for critical CVEs and 10 business days for high CVEs, provided a fix is available upstream.

Scanners find problems after they are already in your code. The Curated Catalog is a preventative solution that ensures only secure, approved components are available to be pulled in the first place.

Yes. Building from source ensures that the binary you are using hasn't been tampered with at the distribution level and provides the transparency required for high-integrity software supply chains.