Cybersecurity Stars Awards · By The Hacker News
2026 WINNER · CYBERSECURITY STARS AWARDS

ActiveState Curated Catalog

Best Open Source Security Platform
2026 Winner medal
ActiveState logo
Company
ActiveState
Location
Canada
Website
activestate.com
Team Size
50 - 99 employees
01

Overview

ActiveState enables development teams to improve their security posture and increase velocity, ensuring they deliver secure workloads faster by automating the management of the open source software supply chain. The ActiveState Curated Catalog is a secure, built-from-source catalog of open source components that security teams curate and developers and AI coding assistants consume safely, without pulling from unvetted public registries.

When an AI coding assistant requests a dependency, rather than relying on a public registry where your security team has zero visibility or control over what gets ingested, it draws from the ActiveState Curated Catalog. The component it receives from the ActiveState Curated Catalog is built from source within SLSA Level 3 infrastructure, continuously monitored, and automatically remediated to a contractual SLA. What this means is governance is embedded at the point of consumption, which is the only place it can realistically keep pace with AI-generated code volume.

The ActiveState Curated Catalog works seamlessly with the artifact repositories and package managers teams already use, including JFrog Artifactory, Sonatype Nexus, GitHub Packages, and AWS CodeArtifact, with no new tooling for developers to learn and no changes to CI/CD strategy. This includes Claude Code and other AI coding assistants, where developers using AI-assisted development can pull dependencies directly from the ActiveState Curated Catalog rather than unvetted public registries, embedding governance at the point where AI generates the code. Backed by the ActiveState library of 79 million built-from-source components across 12 major language ecosystems, it is the top solution to governing open source ingestion at the point of origin, at the speed of AI-generated code.

02

Key Capabilities

  • Vetted repository access: A private, filtered catalog of open source software components and their verified dependencies, replacing unvetted public registries as the default source for your engineering teams and AI coding assistants.

  • Multi-language support: Components, dependencies, and shared libraries across 12+ language ecosystems from a single source, covering Python, Java, JavaScript, C libraries, R, and more.

  • Built from source: Every component is built from source within SLSA Level 3 infrastructure, ensuring what enters your environment is what it claims to be and has not been tampered with at the build or distribution level.

  • Native workflow compatibility: Developers use the package managers they already know, including pip, npm, and Maven, to pull approved components without learning new tools or changing existing workflows.

  • Artifact manager compatibility: Works seamlessly with JFrog Artifactory, Sonatype Nexus, AWS CodeArtifact, GitHub Packages, and others, sliding into your existing CI/CD pipeline as a single trusted upstream source.

  • Continuous CVE remediation: Managed components are rebuilt and republished when community-approved fixes are available, governed by contractual SLAs: 5 business days for critical CVEs and 10 business days for high CVEs.

  • Component-level security feed: Daily security intelligence on every component in your catalog, with immediate alerts when new vulnerabilities are discovered or patches become available.

  • Traceability and auditing: A complete system of record for component versions, licenses, and security posture over time, delivering audit-ready compliance without manual effort.

03

How we are different

Most governance tools were built for a human-scale SDLC. That simply no longer exists. When developers are using AI to flood repos with code, your attack surface expands at the speed of a prompt, and manual vetting becomes the bottleneck that guarantees you lose. The ActiveState Curated Catalog is the best solution to governing open source ingestion at the point of origin, at the speed AI requires.

Where other catalog and governance tools require developers to change their workflow or security teams to manually vet every request, the ActiveState Curated Catalog embeds policy directly into the tools developers and AI agents already use. The right components are always available, while the risky ones never reach a developer's machine.

The result is 95% fewer CVEs compared to community open source artifacts, 90% reduction in mean time to remediate, and a complete, immutable audit trail that protects the organization and the security leader personally when regulators come asking.

Watch a demo of the ActiveState Curated Catalog here: https://youtu.be/skOR2VNtBug

04

Gallery

Gallery image 1 Gallery image 2 Gallery image 3