Secure the Code Your AI Writes
The world’s largest catalog of secure, trusted, and continually remediated open source available in three consumption models.
Open source governance that moves at the speed of AI
- AI agents don’t wait for security approvals. Every prompt is a potential dependency request, and the public registries those requests hit were not designed with enterprise security posture in mind.
- Governance at the dependency layer, not the tool layer. A security model enforced at the AI tool level is bypassed the moment a developer opens a terminal, switches tools, or runs a build script.
- No new tooling. No workflow changes. The Curated Catalog works with the AI coding assistants, artifact repositories, and scanners your teams already use, so governance is automatic, not optional.
- 79 million built-from-source components across 12 language ecosystems. Every component in the ActiveState Library (which powers the Curated Catalog) is scanned for CVEs and malware, then built within SLSA Level 3 infrastructure before it ever reaches a developer.
- Contractual remediation SLAs, not process descriptions. Critical CVEs remediated in 5 business days, against an industry average that lags upwards of 60 days.
Which AI tools will your developers be using next quarter?
Your developers may not be standardized on a single AI coding assistant today, and they may not be using the same ones next year. That is why the Curated Catalog is tool-agnostic by design: it governs every dependency request, regardless of which tool it originates from.
Tool-agnostic by design
The Curated Catalog works with any AI coding assistant that pulls dependencies through standard artifact repositories or native package managers, including Cursor, Claude Code, Codex, GitLab Duo, Tabnine, Windsurf, and JetBrains AI. When your team adopts the next tool, the governance comes with it.
Policy enforced at the point of consumption
When a dependency request comes in, whether it originated from an AI agent, a CI/CD pipeline, or a developer in a terminal, it resolves to a vetted component from the ActiveState Curated Catalog. The developer does not have to make the right choice. The architecture makes the wrong choice unavailable.
79 million components. 12 language ecosystems. In production today.
The ActiveState Library, which powers the Curated Catalog, covers Python, Java, C#, C++, Go, Rust, R, Perl, and more, with full transitive and OS-level dependency coverage across more than 79 million built-from-source components. Not a roadmap. Not a beta. The breadth your actual stack requires, available now.
Remediation you can put in a contract
When the open source community releases a fix, ActiveState builds the updated component from source and publishes it automatically. Critical CVEs: 5 business days. Highs: 10 business days. All others: 30 days. These are SLA commitments, not aspirational targets.
Works with the tools your teams already use
The Curated Catalog works seamlessly with your AI coding assistants, artifact repository systems, and the scanners already in your stack. Developers get fast, reliable access to what they need. Security gets the governance they require.
FAQs
What AI coding assistants does the ActiveState Curated Catalog support?
The Curated Catalog is tool-agnostic. Because it integrates at the artifact repository layer rather than at the tool level, it works with any AI coding assistant that pulls dependencies through standard package managers or artifact repositories. This includes Cursor, Claude Code, Codex, GitLab Duo, Tabnine, Windsurf, JetBrains AI, and others. If the tool pulls a dependency, the Curated Catalog governs it.
How is this different from a security integration built into a specific AI coding tool?
Tool-level integrations enforce policy when developers use that specific tool. They provide no protection when developers use a different AI assistant, open a terminal, or trigger a dependency request through a CI/CD pipeline. The Curated Catalog enforces policy at the artifact repository layer, which means governance applies to every dependency request regardless of where it originated.
What languages and ecosystems does the ActiveState Library cover?
The ActiveState Library, which powers the Curated Catalog, covers 12 major language ecosystems including Python, Java, C#, C++, Go, Rust, R, and Perl, with full transitive and OS-level dependency coverage across more than 79 million built-from-source components.
What are ActiveState's remediation SLAs for vulnerabilities?
ActiveState commits contractually to remediating critical CVEs within 5 business days, high CVEs within 10 business days, and all others within 30 business days. The industry average mean time to remediate critical CVEs is upwards of 60 days. These SLAs apply when a community-approved fix is available upstream.
Does the Curated Catalog require developers to change their workflow?
No. The Curated Catalog works seamlessly with the AI coding assistants, artifact repositories, and scanners your teams already use. There is no new tooling to learn and no changes to your CI/CD strategy.
How does ActiveState handle vulnerabilities in AI-suggested packages?
Every component in the ActiveState Library is scanned for CVEs and malware before it enters the library. Known malicious components are blocked and quarantined. When an AI coding assistant requests a package, it resolves to a vetted, built-from-source component rather than whatever happens to be in a public registry at that moment. Continuous monitoring means components are updated automatically when community-approved fixes are available.
