AI Generates Code in Seconds. It Also Introduces Risk Just as Fast.
What is a Curated Catalog?
A curated catalog is a private library of open source packages that have been:
- Built from verified source code, not redistributed binaries
- Vetted across the full dependency tree: direct dependencies and every transitive package underneath
- License obligations surfaced before they become legal exposure
- Shipped with complete provenance and signed attestations
Think of it as your organization’s “approved vendor list” for open source dependencies, but automated and integrated directly into your developers’ existing workflow.
Why Transitive Dependencies Matter: When you install one package, you inherit its entire supply chain: often dozens of dependencies no one on your team chose, each one capable of introducing a CVE, a license shift, or a malicious payload without warning. High-profile breaches like event-stream, ua-parser-js, and Axios didn’t come through libraries developers picked. They came through the hidden layers underneath.
Risks of Hidden Dependencies
What Your Developers Install vs. What Actually Enters Your Environment
When a developer adds four common packages to a production Node.js application: a web server, an HTTP client, a logger, and an image processor, a typical install pulls in 135 packages total. Most teams can name the 4 they chose. Almost no one has reviewed the other 131.
Recent major breaches didn’t come through the packages developers picked. They came through the ones that came along for the ride:
Axios (April 2026)
70M weekly downloads, compromised transitive dependency
TeamTCP (March 2026):
Cascaded through dependencies of dependencies across five package ecosystems
Shai-Hulud worm (November 2025):
Self-replicated through 500+ npm packages by exploiting compromised maintainer accounts, turning trusted dependencies into infection vectors
Your scanner only catches these after they’re already in your environment. The curated catalog governs them before they can enter.
For Your Developers:
- Developer (or AI coding tool) requests a package
- Package manager resolves to your curated catalog instead of PyPI/npm
- Developer receives the current vetted version automatically
- Development continues with zero workflow disruption
For Your Security Team:
- Your policies define what’s acceptable (vulnerability thresholds, licenses, etc.)
- Only packages meeting your criteria enter the catalog
- As upstream fixes become available, packages are built and distributed automatically within contractual SLA windows
- Audit trails and SBOMs are automated and continuously maintained
For Your Engineering Team:
- Reactive developer security effort is returned to feature development
- Roadmap predictability is restored
- Security-related sprint and release blocks are prevented at the source
- Remediation is handled by your catalog provider with contractual SLAs
The Problem with Public Registries:
- AI coding assistants pull dependencies at machine speed with zero human review
- 188% year-over-year increase in malicious open source packages (Sonatype, 2025)
- NIST is no longer enriching all CVEs, creating critical gaps in scanning techniques
- Only 26% of critical vulnerabilities were remediated in 2025, down from 38% the year before (Verizon DBIR 2026)
Advantages of the Curated Catalog:
- Up to 95% reduction in CVEs compared to same packages from public registries
- Removes the malware ingestion vector from compromised public registries
- Contractual remediation SLAs vs. industry average MTTR of 54.8 days for high and critical vulnerabilities (Edgescan 2026)
Complete provenance chain for regulatory compliance
What Governed Open Source Looks Like in Practice
- Faced 633% surge in supply chain attacks.
- Moved Python pipeline to source-built catalog.
- Zero public malware ingestion since implementation.
Fortune 200 Energy Company
- $1M in productivity reclaimed across 300 developers.
- 99% reduction in unvetted package usage.
- 65% ROI in year one.
Global Health Tech Leader
- Shortened remediation cycles from 245 days to under 30.
- 25% of developer time reclaimed from security triage work.
Technical Integration
Supported Ecosystems:
Python, JavaScript, Java, .NET, C/C++, Go, Rust, R, Perl, Tcl, Ruby
Supported Repositories:
JFrog Artifactory, Sonatype Nexus, GitHub Packages, Amazon Q Developer, GitLab Package Registry
AI Coding Assistant Compatible:
GitHub Copilot, Cursor, AWS CodeWhisperer, Azure AI, all major coding assistants
Implementation:
Point your existing artifact repository at the ActiveState catalog. No pipeline changes. No developer retraining. Same packages, same APIs, vetted source.
FAQs
Does a Curated Catalog slow down developers?
No. Developers work exactly as they do today. Package managers resolve from the catalog instead of public registries. If an exact version doesn’t reach governance standards, you get the closest vetted version in the same release branch.
What if we need a package that's not in the catalog?
ActiveState covers the top 1,000 components per ecosystem plus dependencies. For anything outside that, our build service produces it to the same SLSA Level 3 standards dependent on your organization’s needs.
How does an Active State Curated Catalog work with AI coding assistants?
When Copilot or Cursor suggests a dependency, your package manager resolves it from the governed catalog, not from npm, PyPI, or Maven Central. The AI workflow doesn’t change. The source does.
What about compliance and audits?
Every component ships with signed SLSA Level 3 attestation and complete SBOM. Supports EU CRA, SSDF, and EO 14028 compliance requirements without manual audit assembly.
See an ActiveState Curated Catalog in Action
Ready to see how this works in your actual environment?
Our proof-of-concept runs in your infrastructure with your dependencies. No generic demo. Your actual risk surface, governed and documented.
