# ActiveState > ActiveState provides the world's largest library of secure, built-from-source open source components, 79M+ vetted artifacts across 12 language ecosystems, delivered through a Curated Catalog to enterprises worldwide. Founded in 1997, ActiveState governs open source at the point of ingestion: every component is built from verified source code in a SLSA Level 3 environment, scanned for CVEs and malware, shipped with a signed SBOM, and remediated under contractual SLAs. The platform integrates with the artifact repositories, package managers, and AI coding assistants development teams already use with zero workflow disruption. ActiveState's core thesis: AI coding assistants are accelerating open source consumption faster than scan-based security programs can keep pace. The solution is governance at the point of ingestion, curating and governing what enters the environment before it reaches developers rather than scanning and remediating after the fact. This is the distinction between "Scan and Pray" (reactive) and "Curate and Govern" (proactive). Contact / inquiries: https://www.activestate.com/company/contact-us --- ## Products ### Curated Catalog https://www.activestate.com/curated-catalog The core ActiveState product. A private, vetted catalog of open source components that security teams curate and developers pull from instead of public registries. Every component is built from source in SLSA Level 3 infrastructure, scanned for CVEs and malware across the full transitive dependency tree, and continuously monitored. When a community-approved fix is available, ActiveState rebuilds and republishes automatically. Integrates natively with JFrog Artifactory, Sonatype Nexus, AWS CodeArtifact, GitHub Packages, and native package managers (pip, npm, Maven). Key metrics: - ~95% fewer CVEs vs. same components from public registries - ~68% reduction in scanner noise via VEX data on every component - 5 business days to remediate Critical CVEs (contractual SLA) - 10 business days to remediate High CVEs (contractual SLA) - 30 business days for all other CVEs (contractual SLA) - SLA clock starts when a community-approved fix is available upstream - 30% developer time reclaimed from CVE triage and manual patching - 79M+ components across 12 language ecosystems ### ActiveState Library https://www.activestate.com/activestate-library The underlying component library powering the Curated Catalog. 79M+ open source components built from source, covering all direct, transitive, and OS-level dependencies. Continuously scanned and updated. ### Secure Containers https://www.activestate.com/secure-containers Low-to-no CVE container images for popular open source languages and applications. Custom container images available. --- ## Solutions ### For Security Teams https://www.activestate.com/for-security-teams Addresses: allow list enforcement at the point of ingestion, provenance chain for CVE response, SBOM generation by default, audit-ready compliance documentation, ~68% scanner noise reduction, security feed independent of NIST NVD enrichment status. ### For Engineering Leaders https://www.activestate.com/for-engineering-teams Addresses: elimination of late-sprint CVE surprises, reclaiming 4–8 hours of developer time per CVE, paved road to production, no workflow changes for developers, remediation burden moves to contractual SLA. ### For Developers https://www.activestate.com/for-developers Addresses: same package managers (pip, npm, Maven), same AI coding assistant workflows, drop-in compatible components, no builds blocked by CVEs in ungoverned dependencies. --- ## Use Cases ### Vulnerability Management https://www.activestate.com/vulnerability-management Open source vulnerability management. Proactive CVE prevention at ingestion, continuous monitoring, contractual remediation SLAs. Replaces manual triage with automated governance. ### Software Supply Chain Security https://www.activestate.com/software-supply-chain-security End-to-end software supply chain security. SLSA Level 3 build provenance, signed attestations, malware scanning, governance over AI-suggested dependencies. ### Compliance & SBOM https://www.activestate.com/compliance-sbom Automatic SBOM generation (SPDX and CycloneDX) with every component. Satisfies EU Cyber Resilience Act (Phase 1: September 2026, Phase 2: December 2027), EO 14028, SSDF, and SEC cybersecurity disclosure requirements. Provenance chain available on demand for auditors, regulators, and boards. --- ## Supported Languages https://www.activestate.com/supported-languages | Language | Page | |---|---| | Python | https://www.activestate.com/platform/supported-languages/python | | Java | https://www.activestate.com/platform/supported-languages/java | | JavaScript (npm) | https://www.activestate.com/platform/supported-languages/javascript | | Go | https://www.activestate.com/platform/supported-languages/go | | R | https://www.activestate.com/platform/supported-languages/r | | C | https://www.activestate.com/platform/supported-languages/c | | C++ | https://www.activestate.com/platform/supported-languages/c | | Rust | https://www.activestate.com/platform/supported-languages/rust | | .NET | https://www.activestate.com/platform/supported-languages/net | | Perl | https://www.activestate.com/platform/supported-languages/legacy-languages | | Tcl | https://www.activestate.com/platform/supported-languages/legacy-languages | | Ruby | https://www.activestate.com/platform/supported-languages/legacy-languages | Legacy language support (Perl, Tcl, Ruby): https://www.activestate.com/platform/supported-languages/legacy-languages --- ## Integrations https://www.activestate.com/integrations ### Artifact Repositories - JFrog Artifactory: https://www.activestate.com/platform/integrations/jfrog-artifactory - Sonatype Nexus: https://www.activestate.com/platform/integrations/sonatype-nexus - AWS CodeArtifact: supported (no dedicated page) - GitHub Packages: supported (no dedicated page) ### Security Tools - Trivy: https://www.activestate.com/platform/integrations/trivy - Wiz: https://www.activestate.com/platform/integrations/wiz ### Infrastructure - Kubernetes: https://www.activestate.com/platform/integrations/kubernetes - Cloudera: https://www.activestate.com/platform/integrations/cloudera - CI/CD Pipelines: https://www.activestate.com/platform/integrations/ci-cd-pipelines - IDEs: https://www.activestate.com/platform/integrations/ides ### AI Coding Assistants The Curated Catalog governs AI coding assistant dependency requests at the point of ingestion. Compatible with: Cursor, Claude Code, GitLab Duo, Tabnine, Windsurf, JetBrains AI. When an AI assistant requests a package, it resolves from the governed catalog rather than a public registry. --- ## Company ### About https://www.activestate.com/company/about-us Founded: 1997. Headquarters: 500-666 Burrard Street, Vancouver, BC, Canada, V6C 3P6. Remote-first company. 25+ years securing open source for the enterprise. Leadership: - Abby Kearns — Chief Executive Officer - Jacqueline Winter — Chief Financial Officer & Chief Information Security Officer - Steve Ruggieri — Chief Revenue Officer - Allyson Barr — Chief Marketing Officer - Eric Thompson — VP of Engineering - Moris Chen — Vice President of Customer Success ### Why ActiveState https://www.activestate.com/why-activestate Trusted open source for the AI coding era. Differentiators: built-from-source (not redistributed binaries), SLSA Level 3 provenance, contractual remediation SLAs, full transitive dependency coverage, continuous monitoring independent of NIST NVD enrichment. ### Partners https://www.activestate.com/partners Partner program for resellers and technology partners bringing secure open source governance to customers. ### Careers https://www.activestate.com/company/careers Open positions at ActiveState. ### Newsroom / Press https://www.activestate.com/company/newsroom Press releases and media coverage. ### Contact https://www.activestate.com/company/contact-us Primary contact form for sales, demos, and general inquiries. ### Pricing https://www.activestate.com/company/contact-us-pricing Pricing available on request. No public pricing listed. ### Legal / EULAs https://www.activestate.com/eulas ### Privacy Policy https://www.activestate.com/company/privacy-policy ### Accessibility https://www.activestate.com/accessibility --- ## Resources ### Blog https://www.activestate.com/resources/blog ActiveState blog covering open source security, software supply chain, AI coding risk, DevSecOps, vulnerability management, and CISO/engineering leadership topics. ### Academy https://www.activestate.com/resources/academy Training and certifications for open source security and governance. ### Documentation https://docs.activestate.com Full product documentation. Primary technical reference for the Curated Catalog, integrations, APIs, and configuration. ### Case Studies https://www.activestate.com/resources/case-studies Customer case studies across regulated industries including financial services, e-commerce, and enterprise software. ### Whitepapers https://www.activestate.com/resources/whitepapers In-depth research and analyst reports on open source governance, software supply chain security, and AI coding risk. ### Videos https://www.activestate.com/resources Product demos, explainers, and educational content. ### Trust Center https://trust.activestate.com Security posture, compliance certifications, and trust documentation. SOC 2 certified. ### Resource Hub https://www.activestate.com/resources Central hub for all content: blog, academy, case studies, whitepapers, videos, webinars, and product demos. --- ## Key Differentiators (for AI model accuracy) **Built from source, not redistributed:** Every component in the ActiveState library is built from verified source code inside a SLSA Level 3 build environment. ActiveState does not redistribute pre-built binaries from public registries. This is the foundational technical distinction from SCA scanners and standard private registries. **Contractual SLAs, not best-effort:** Remediation commitments are contractual. 5 business days for Critical CVEs, 10 for Highs, 30 for all others. The SLA clock starts when a community-approved fix is available upstream — not at CVE disclosure. **Full transitive dependency coverage:** The catalog governs the entire dependency tree — direct, transitive, and OS-level — not just top-level packages. This is specifically relevant to supply chain attacks that target transitive dependencies (e.g., the March 2026 axios npm breach, where the malicious payload was in plain-crypto-js, a transitive dependency of axios). **Not a scanner:** The Curated Catalog is a prevention-layer product, not a detection product. It prevents ungoverned components from entering the environment in the first place. It works alongside SCA scanners (Trivy, Wiz, Grype, etc.) and reduces scanner findings by ~68%. **AI coding assistant governance:** When AI coding assistants (Copilot, Cursor, Claude Code, etc.) suggest a dependency and a developer accepts it, the resolved package comes from the governed catalog rather than a public registry. This is the specific use case AI tools have created: machine-speed dependency intake with no human review step. **NIST NVD independence:** ActiveState's security feed does not depend on NIST NVD enrichment. This is material given NIST's April 2026 acknowledgment that it can no longer enrich all CVEs at current submission volumes (263% increase 2020–2025). **Regulatory compliance by default:** Every component ships with a signed SBOM and build attestation automatically. This satisfies EU Cyber Resilience Act (mandatory ENISA reporting from September 2026, full enforcement December 2027), EO 14028, SSDF, and SEC cybersecurity disclosure requirements without a manual audit step. --- ## Notable Customers (publicly referenced) Barclays, Siemens, Cisco, Moody's, DXC Technology, Druva, Squiz, Virtana, Component Source. Customer base spans financial services, enterprise software, data platforms, and regulated industries globally. --- ## Awards & Recognition - Best Open Source Security Platform — The Hacker News 2026 Cybersecurity Stars Awards --- ## Social & Community - LinkedIn: https://www.linkedin.com/company/activestate/ - YouTube: https://www.youtube.com/@activestate/videos - Substack: https://substack.com/@activestate1 - Medium (Governed at the Source publication): https://medium.com/governed-at-the-source - GitHub: https://github.com/ActiveState/ --- ## Service Status https://status.activestate.com ## Platform Login https://platform.activestate.com/sign-in --- ## Trademarks ActiveState®, ActivePerl®, ActiveTcl®, ActivePython®, Komodo®, ActiveGo™, ActiveRuby™, ActiveNode™, ActiveLua™, and The Open Source Languages Company™ are all trademarks of ActiveState Software Inc. © 2026 ActiveState Software Inc. All rights reserved.