ActiveState unveils Curated Catalog for safer code

ActiveState has launched Curated Catalog, a private repository service that supplies organisations with pre-vetted open source components for software development and AI-assisted coding.

The Vancouver-based company positions the product as a way to reduce security risks that can arise when developers and code-generation tools pull dependencies directly from public package registries. The service is intended to give security teams control over which packages are available within an organisation's development environments.

Large language models are increasing the volume of third-party components introduced into applications. That trend has sharpened focus on software supply chain practices, including package provenance and integrity, and the speed at which vulnerabilities are identified and remediated.

Curated Catalog draws on the ActiveState Library, a multi-ecosystem collection of more than 79 million components rebuilt from source across more than 12 language ecosystems.

Private dependency source

Curated Catalog is designed to act as an internal source of dependencies. Developers and AI code generators can pull approved packages from the private catalogue rather than sourcing components from the open internet. The approach reflects a broader shift among larger organisations towards governed dependency intake and policy-based controls.

Public registries offer fast access to vast numbers of packages, but they can expose organisations to risks from unvetted components, including known vulnerabilities and potentially malicious or compromised packages. Incidents tied to dependencies can carry operational and compliance consequences, along with reputational damage.

ActiveState says Curated Catalog reduces the workload associated with monitoring and maintaining components and their dependencies, and includes service levels for vulnerability remediation. It commits to providing remediated components within five business days for critical vulnerabilities and within ten business days for high-severity vulnerabilities.

Integration approach

The service is intended to fit into existing developer workflows, delivering packages in native formats, including Python Wheels. Curated Catalog is also designed to work with established CI/CD pipelines and common artefact management systems.

Named integrations include JFrog Artifactory, Sonatype Nexus, Cloudsmith, GitHub Packages, GitLab Package Registry, AWS CodeArtifact, Google Artifact Registry, and Azure Artifacts.

ActiveState also describes a continuous oversight model. Security teams receive daily updates on components in their catalogue, with alerts for critical patches or newly discovered vulnerabilities. When upstream fixes are released, components are rebuilt and published into Curated Catalog.

Bob Shaker, Chief Product and Technology Officer at ActiveState, framed the product as a response to competing demands inside software organisations.

"Developers need speed, while security teams need control and too often they're forced to compromise," Shaker said.

"The Curated Catalog eliminates that tradeoff by giving organizations a private library of trusted, rebuilt-from-source open-source components that developers can consume directly in their workflows and from within AI code generators," he said.

"With the largest multi-ecosystem catalog of verified components, ActiveState enables enterprises to scale open source safely across 12+ language ecosystems - capabilities most solutions simply can't deliver," Shaker added.

Supply chain focus

Industry analysts have highlighted dependency governance as a growing priority as supply chain threats broaden beyond traditional perimeter and endpoint controls.

"Modern software stacks commonly include thousands of open source components sourced from public package registries, where provenance and integrity are not always verifiable," said Katie Norton, Research Manager at IDC.

"As software supply chain threats grow, organizations are placing more emphasis on policy-based controls and using governed sources for dependencies to reduce the likelihood that vulnerable or malicious packages enter the build pipeline," Norton said.

"ActiveState's Curated Catalogs are designed to operationalize that approach by centralizing dependency intake in a private catalog and delivering components through existing developer tooling and artifact repositories," she added.

ActiveState says Curated Catalog is built on infrastructure it describes as SLSA Level 3 compliant. The company positions the rebuilt-from-source approach as a way to provide stronger assurance around package provenance than is typically available from public registries.

Adoption is likely to depend on how security teams balance the desire for tighter control with developer expectations for rapid access to new dependencies and updates. Organisations with strict compliance requirements or complex software estates may see value in centralising dependency intake and standardising approved components across teams.