Key takeaways

  1. A curated open source catalog gives organizations a private, vetted source of packages that have been rebuilt from source, scanned, signed, and continuously maintained.

  2. Unlike public registries and traditional artifact repositories, curated catalogs reduce risk across the entire dependency tree, including transitive dependencies.

  3. Curated catalogs are particularly valuable for AI-generated code workflows, where hallucinated package names and outdated dependencies can introduce major supply chain risks.

  4. ActiveState’s Curated Catalog combines built-from-source packages, signed SBOMs, automated remediation, and continuous monitoring to reduce vulnerability exposure and speed up compliance.

Most organizations still treat software security like a cleanup exercise.

They scan packages after they are installed. They investigate vulnerabilities after code has already been written. And they wait for a CVE to become urgent before they start looking for a fix.

That approach is becoming harder to sustain.

Modern software environments contain thousands of open source packages, nested dependencies, unknown licenses, and aging components that have accumulated over years of development. In fact, it’s reported that 86% of codebases have open source software vulnerabilities while 81% have high- or critical-risk vulnerabilities. 

Add AI coding assistants into the mix and the problem grows even faster. Developers can now generate code and install dependencies in seconds, while security teams are left sorting through the fallout later.

The better approach is to start secure.

Starting secure means managing upstream risk before packages ever reach developers, CI/CD pipelines, or production environments. It means making package vetting, remediation, provenance, and maintenance part of your standard operating procedure rather than treating them as downstream security tasks.

The ActiveState Curated Catalog is built around this philosophy.

Instead of pulling unknown binaries from public repositories and hoping scanners catch issues later, organizations can begin with a trusted catalog of built-from-source, scanned, signed, and continuously maintained packages.

What is the ActiveState Curated Catalog?

The ActiveState Curated Catalog is a private repository of vetted open source components selected from the broader ActiveState Library, which contains more than 79 million packages and dependencies. 

It’s designed to help organizations reduce the risks associated with public package registries, transitive dependencies, AI-generated code, and software supply chain attacks.

Unlike public repositories such as PyPI or npm, the Curated Catalog does not simply mirror or proxy upstream packages. Every package in the catalog is built-from-source by ActiveState, scanned, signed, and continuously monitored before it becomes available for developers to use.

This gives organizations:

  • Trusted package provenance
  • Full visibility into transitive dependencies
  • Native SBOM generation
  • License compliance enforcement
  • Faster remediation for newly disclosed CVEs
  • Protection against malicious or hallucinated packages

When new vulnerabilities are discovered, ActiveState also operates under strict remediation SLAs for managed components. Critical CVEs are addressed within five business days, while high-severity CVEs are addressed within 10 business days, provided an upstream fix is available.

The result is a software supply chain for open source that is more secure, more auditable, and easier to govern than relying on public registries alone.

How does curated catalog vetting work?

Curated catalog vetting is a continuous lifecycle (rather than a one-time package scan) that starts with package ingestion and continues through build, validation, deployment, and ongoing maintenance.

The process begins when a package is nominated for inclusion in the catalog. This can happen because ActiveState’s internal curation team identifies a commonly used package from upstream registries such as PyPI, npm, or CPAN, or because a customer specifically requests it.

Once a package is selected, ActiveState pulls the package and its full dependency graph, including all transitive dependencies and pinned versions.

This matters because most software supply chain incidents do not come from direct dependencies. They come from packages buried several layers down the dependency tree.

Instead of redistributing the original upstream binary, ActiveState builds the package from source in a hermetic build environment. This means every package is compiled using ActiveState’s own controlled toolchain rather than an unknown maintainer’s build system.

Making the build process reproducible

Given the same source code and environment inputs, the same output artifact is produced every time. Build metadata such as compiler flags, operating system details, toolchain versions, and dependency information are recorded and attached to the artifact.

Once the package has passed validation, ActiveState signs the artifact using a cryptographic attestation chain. This creates a verifiable record of provenance and supports alignment with frameworks such as SLSA.

The process does not stop after deployment, either. Continuous monitoring watches upstream registries for:

  • New package releases
  • Newly disclosed CVEs
  • Patch availability
  • License changes
  • Dependency updates

When a vulnerability is disclosed against a cataloged package, ActiveState automatically triggers a remediation workflow and patched versions are rebuilt, rescanned, and made available through the catalog.

This is one of the biggest differences between a curated catalog and a traditional one-time scan. Rather than finding issues and leaving teams to figure out the next step, the catalog continuously delivers remediated packages that are ready to use.

In other words, maintenance becomes part of the operating model. Teams are not just identifying risk. They are reducing it continuously through built-from-source packages, proactive monitoring, and upstream remediation.

What vulnerabilities does the catalog address?

The Curated Catalog is specifically designed to address the types of software supply chain risks that public registries and basic scanners often miss.

Transitive dependency compromise

Most high-profile incidents (including Log4Shell and XZ Utils backdoor) entered environments through indirect dependencies rather than packages developers intentionally installed.

The Curated Catalog scans and rebuilds the full dependency graph, giving teams visibility into every layer of the stack.

Malicious package injection and typosquatting

Public registries are open publishing environments. Attackers can upload packages with names that are only one character away from legitimate projects.

Because the Curated Catalog operates as an allow-list, only vetted packages are installable inside catalog-governed environments.

Build-time tampering

When developers install packages from public registries, they’re often installing binaries built on infrastructure they know nothing about.

If a maintainer account or CI system is compromised, malicious code can be introduced during the build process without appearing in the source code itself.

By building from source in a controlled environment, ActiveState ensures the installed artifact matches the code that was scanned.

AI-generated code risks

AI coding assistants such as GitHub Copilot and Cursor can hallucinate package names, recommend outdated libraries, or suggest versions with known vulnerabilities.

In a catalog-governed workflow, only approved packages and versions can be installed by the AI coding assistant. This creates a guardrail against risky AI-generated dependency choices.

License risk and compliance drift

Automated license analysis surfaces problematic licenses before packages reach production, helping organizations avoid accidental GPL or AGPL exposure.

How do curated catalogs compare to traditional package repositories?

Public repositories such as PyPI and npm are designed for openness and convenience. They allow anyone to publish packages and make it easy for developers to install dependencies quickly.

This is all well and good, but they do not provide built-in vulnerability scanning, provenance validation, or license enforcement.

Enterprise artifact repositories such as JFrog Artifactory and Sonatype Nexus add more control. They cache packages locally, improve reliability, enforce access policies, and can integrate with security scanners.

However, these too rely on the same upstream binaries published to public registries.

The ActiveState Curated Catalog takes a different approach

Rather than replacing artifact repositories, the ActiveState Curated Catalog strengthens repositories by improving the quality and trustworthiness of the packages flowing through them. 

Instead of pulling directly from public registries, those tools pull from the ActiveState Curated Catalog as an upstream source. This means teams still benefit from all of the workflow, caching, access control, and distribution capabilities of their existing artifact repository, but with packages that have already been rebuilt from source, scanned, signed, and continuously maintained.

One of the most important distinctions is that artifact repositories are still fundamentally caching proxies. They help teams manage package delivery, but they do not fundamentally change the trustworthiness of the package itself. The Curated Catalog improves that trust layer by ensuring the packages entering those repositories are vetted, governed, and easier to remediate over time.

When should organizations use curated catalogs?

Organizations should use curated catalogs any time they rely on open source software.

Public registries may be fast and convenient, but they weren’t designed to reduce attack surface, enforce governance, or maintain long-term security posture. As open source dependency trees grow larger and more complex, then, it becomes increasingly difficult to manage provenance, remediation, license compliance, and transitive risk without a curated approach.

If organizations want to reduce their attack vector and maintain a stronger security posture over time, they need a trusted source of packages that have already been vetted, rebuilt, scanned, signed, and continuously maintained. 

Curated catalogs provide exactly that. 

How else are you going to reduce your attack vector and maintain your security posture?

This is particularly important for:

  • Teams adopting AI coding assistants
  • Regulated industries such as healthcare, financial services, government, and defense
  • Organizations struggling with vulnerability backlogs
  • Teams that need better control over open source licenses
  • Companies trying to reduce exposure to software supply chain attacks

1. When AI-generated code is becoming part of the development process

As developers rely more heavily on AI coding assistants, the risk of hallucinated or vulnerable dependencies increases. A curated catalog creates a policy-driven boundary around what can be installed.

2. When compliance and audit readiness matter

Organizations in healthcare, financial services, government, and defense often need to prove software provenance and generate SBOMs for audits. A curated catalog makes this much easier by automatically generating signed SBOMs and maintaining a complete attestation chain.

3. When teams are overwhelmed by vulnerability backlogs

Many organizations know where their vulnerabilities are, but they do not have the resources to remediate them quickly. A curated catalog reduces the burden by providing pre-remediated package versions and continuous updates.

4. When organizations need stronger control over open source licenses

As dependency trees grow, it becomes increasingly difficult to track restrictive licenses manually. Curated catalogs help prevent unwanted licenses from entering production environments.

5. When software supply chain attacks are becoming a board-level concern

Incidents such as SolarWinds attack, Log4Shell, and XZ Utils have made software provenance a major business issue. Curated catalogs help organizations reduce exposure before those packages ever enter their environments.

A quick guide to Curated Catalog implementation

Implementing a curated catalog does not require organizations to rebuild their entire development workflow. In most environments, the catalog sits behind an existing artifact repository or package management workflow so that it doesn’t interrupt or interfere with existing ways developers are working.

Instead of pointing package managers directly at public registries, teams point their artifact repository to the Curated Catalog as the upstream source.

Developers and CI/CD pipelines can continue working the same way they do today, but they are now pulling from a trusted source.

This improves security posture without disrupting developer velocity.

Step 1: Connect the catalog to the artifact repository

Most organizations already use an internal artifact repository such as JFrog Artifactory or Sonatype Nexus. The first step is to configure that repository to pull packages from the ActiveState Curated Catalog rather than directly from the open internet.

Step 2: Define package governance policies

Organizations should establish policies around:

  • Approved package sources
  • Allowed license types
  • Automatic versus manual remediation updates
  • Who can request new packages
  • Which teams can approve changes

Step 3: Integrate with CI/CD pipelines

One of the biggest advantages of the Curated Catalog is that it does not require major changes to CI/CD workflows.

Pipelines continue to pull dependencies the same way they always have. The difference is that they’re now pulling trusted, built-from-source artifacts rather than unverified upstream binaries.

Step 4: Monitor security feeds and remediation updates

ActiveState’s security feed gives teams visibility into newly disclosed CVEs, impacted environments, available fixes, and remediation timelines.

Organizations can decide whether updates should auto-promote or require human approval before deployment.

Step 5: Measure success over time

Teams should track:

  • Number of known vulnerabilities in production
  • Average remediation time
  • Percentage of dependencies with signed SBOMs
  • Number of blocked license violations
  • Percentage of dependencies sourced from approved repositories

The goal is not just to scan for more issues. It is to reduce the number of risky packages entering environments in the first place.

THE 2026 STATE OF VULNERABILITY MANAGEMENT | CONTAINER SECURITY EDITION

Container adoption is accelerating faster than security maturity. This report reveals where container security is breaking down and what leading teams are doing differently in 2026.
DOWNLOAD THE REPORT

Exploring the real-world impact of Curated Catalogs

Organizations that move from ad hoc package installation to a curated catalog model often see improvements across security, operations, compliance, and so much more.

Many customers experience a reduction in known vulnerabilities because they are no longer building environments from years of unmanaged pip install or npm install activity. What’s more, remediation speed also improves significantly.

The industry benchmark for enterprise vulnerability remediation is often between 60 and 90 days. With a curated catalog, patched versions can be rebuilt and made available in days or even hours.

In practice, this means organizations can often access a remediated package before their internal change management process is complete.

The catalog also helps compliance-heavy organizations reduce manual audit preparation work.

For teams in healthcare, financial services, government, and defense, for example, proving software provenance is often a major burden. Generating SBOMs, tracing dependency histories, and documenting licenses can require weeks of effort.

The Curated Catalog transforms this into an on-demand process, allowing organizations to generate reports that show:

  • Which packages are in an environment
  • Where those packages came from
  • Which licenses are attached
  • Whether known vulnerabilities exist
  • Which remediation actions have been taken

Curated Catalog best practices and common pitfalls

One common mistake is treating a curated catalog like a basic scanner.

The value of the catalog is not just that it finds vulnerabilities. The value is that it gives teams a trusted source of packages that are continuously built-from-source, maintained, and remediated.

Another mistake is allowing too many exceptions. If developers can easily bypass the catalog and pull packages directly from public registries, the security model breaks down quickly.

Organizations should therefore create clear rules around package sourcing and make it easy for developers to request additions when they need them. Additionally, teams should also avoid focusing only on direct dependencies.

Transitive dependencies are where many of the biggest supply chain risks live. Any implementation strategy should prioritize full dependency graph visibility and policy enforcement.

Finally, it’s important to avoid treating remediation as a separate process. The strongest programs integrate remediation directly into their standard operating procedures, which means:

  • Monitoring security feeds regularly
  • Defining approval workflows for package updates
  • Automating remediation where possible
  • Tracking remediation SLAs
  • Making software provenance part of procurement and development decisions

The ActiveState Edge

Visibility and detection do not reduce risk on their own.

If your approach depends on chasing dependencies, waiting for disclosures, and coordinating manual fixes, you are operating with delays that attackers do not have.

The ActiveState Curated Catalog gives organizations a way to take back control.

Instead of relying on unknown binaries from public registries, teams can build from a private repository of rebuilt, signed, and continuously maintained packages.

That means stronger provenance, faster remediation, cleaner compliance, and fewer surprises hidden inside dependency trees.

It also means developers can move quickly without creating new risks for security teams to clean up later.

  • Reclaim Engineering Time: Save 4-8 hours per developer for every CVE avoided. By preventing late-stage security fires, teams stay focused on shipping features.
  • Strengthen Supply Chain Integrity: Achieve near 100% protection from attacks at the build and distribution levels.
  • Seamless Governance: Standardize versioning and licensing rules across the entire organization without forcing developers to learn new tools.

If you want to learn more about how ActiveState can help you reduce software supply chain risk with a curated catalog, contact one of our experts.

Explore the ActiveState Curated Catalog

Starting secure is better than chasing risk later on

Most organizations already know they have vulnerabilities, outdated dependencies, and license exposure somewhere in their environments. The real challenge, however, is that they’re still trying to solve those problems after risky packages have already entered the software lifecycle.

That approach is difficult to scale, as we’ve previously established. The better approach to complete security, then, is to instead start out with completely secure open source components.

A curated catalog gives organizations exactly this. It’s a way to reduce risk before it spreads by ensuring developers only work with packages that have already been vetted, rebuilt, scanned, signed, and continuously maintained. So, instead of spending time chasing vulnerabilities downstream, teams can build from a trusted foundation upstream. That means fewer surprises, faster remediation, stronger compliance, and a more resilient software supply chain overall.

Contact us today to see the Curated Catalog in action.

Frequently asked questions

A curated open source catalog is a governed repository of vetted packages that have been rebuilt, scanned, signed, and continuously maintained before developers can install them.

Curated catalogs improve security by rebuilding packages from source, scanning transitive dependencies, generating SBOMs, and blocking malicious or unapproved packages.

JFrog Artifactory is primarily a caching proxy for upstream packages, while a curated catalog provides built-from-source, vetted packages with verified provenance.

Yes. Curated catalogs create an allow-list of approved packages and versions, preventing developers from installing hallucinated or vulnerable dependencies suggested by AI coding assistants.

Yes. ActiveState generates native SBOMs for cataloged packages, giving organizations visibility into dependencies, licenses, vulnerabilities, and provenance.

Organizations in healthcare, financial services, government, defense, and other regulated industries benefit most because they often need stronger compliance, provenance, and remediation capabilities.