Skip to main content

 This post originally appeared in ActiveState News 

https://www.activestate.com/resources/press-releases/activestate-unifies-79m-components-to-launch-worlds-largest-secure-open-source-catalog/





ActiveState Unifies 79M Components to Launch World’s Largest Secure Open Source Catalog

By consolidating 12+ language ecosystems into a single repository, the ActiveState Catalog enables DevSecOps teams to slash CVE exposure by up to 99% and reclaim 30% of engineering time


Vancouver, BC - Feb. 17, 2025 - ActiveState, a global leader in open source language solutions and secure software supply chain management, today announced it has grown its catalog of secure open source components to 79 million, effectively doubling coverage from 2025 and expanding to more than 12 languages. This provides DevSecOps teams one stop for acquiring trusted open source components for their software development and CVE remediation efforts. ActiveState’s catalog now covers the most popular languages used in enterprise software development, including Java, Javascript, Go, Python, and R, among others, and offers the widest breadth and depth of any open source catalog in the market today. This release moves beyond scanners and image‑only hardening to a governed, multi‑language catalog that standardizes how enterprises consume open source. Companies who want to learn more can visit activestate.com

Open Source Offers Opportunities - and Risks

Open source software powers 96% of modern software applications, with most companies using 5 to 7 different open source languages in their development process. While beneficial for speeding software development, open source creates chaos and complexity within DevSecOps teams: Without a unified, secure source for open source, software development teams open their companies up to risk each time they download a new package from the open internet or grab a container image from a public repository. Maintainer integrity is unknown, update schedules are inconsistent, and bad actors exploit known vulnerabilities into zero-day threats. Not only does this threaten companies’ security posture, it creates an endless body of work for developers to manage, maintain, and troubleshoot third-party code to keep it vulnerability-free: they are forced to track CVEs for the components, dependencies, shared libraries, and then update, migrate, and replace components to maintain safety and compliance. This drains as much as 30-50% of valuable time and resources from developers that could be otherwise spent on revenue-driving innovation. Furthermore, it jeopardizes companies’ ability to meet compliance requirements, which can also cause a financial impact. The adoption of AI code generators only increases the volume and opacity of these risks.  

A New “Golden” Path Forward: the ActiveState Catalog

ActiveState’s enterprise-grade, secure catalog enables companies to tame the complexity of open source in their DevSecOps operations. Unlike point solutions focused on a single language or container layer, the ActiveState Catalog is the only solution that unifies component-level coverage across the 12 most-used open source ecosystems - from source code through language libraries and images - into one catalog, standardizing how developers acquire and update open source across languages through a governed golden path. Container images are just one output of the catalog, not the control point itself, which ensures consistency across all entities that leverage open source within an organization. And unlike other solutions, ActiveState doesn’t lock you into a proprietary format that leads to vendor lock-in.  


All components are continuously monitored and maintained by ActiveState, with an industry-leading 5 business day remediation SLA for critical CVEs, and built from source in a SLSA-3 hardened build environment. In 2025, ActiveState’s OSS build factory completed nearly 1 million successful open source builds for more than 200 global clients. These builds incorporate not only the base component, but also the associated language cores, dependencies, and operating systems required by the customer, ensuring complete, secure open source across the stack.  


Organizations choosing the ActiveState Catalog, such as Altair, Cisco, Moody’s, and Tesco, eliminate hours of developers hunting for and evaluating open source from multiple vendors, saving as much as 30% of their time, and improve their company’s overall security posture by reducing CVEs by up to 99%.   


“We use Python, and R in our software development efforts at Statistics Finland, and sourcing, managing, and maintaining those from different sources increased our operational burden and risk profile,” said Juhani Kauppo, project manager, from Statistics Finland. “Partnering with ActiveState and sourcing our OSS from their library has allowed us to strip away that overhead and strengthen our security posture. That gives our developers more time to focus on innovation and brings peace of mind to our security team.”

Delivering the World’s Most Comprehensive Open Source Catalog

The ActiveState catalog grew to 40 million components in mid 2025 when it introduced coverage for Java and  R in addition to Python, Perl, Ruby, and Tcl. As of January 2026, the company has expanded its open source coverage to include other popular languages, including: 

  • Javascript

  • Go 

  • Rust

  • PHP

  • .Net 

  • C, C+, C++

  • C#


This brings the catalog component count to 79 million and growing. 


“Our customers are seeing the benefit of offloading the management and maintenance of open source to ActiveState,” said Bob Shaker, CPTO, ActiveState. “Our built-from-source components, ongoing CVE management, and integration with package repositories gives companies all of the benefits of open source without the headaches or being trapped into only using containers;  ActiveState can also deliver these in native file type or managed distributions. This truly revolutionizes how modern software is managed.”


To learn more about ActiveState’s catalog of secure, trusted open source software, please visit www.activestate.com or Contact Us.   
Labels:

Comments

Post a Comment

Popular posts from this blog

The CEO Shift: Why Abby Kearns at ActiveState Signals a Turning Point for Enterprise Risk

  The CEO Shift: Why Abby Kearns at ActiveState Signals a Turning Point for Enterprise Risk The Software Supply Chain Is Now a Boardroom Problem Abby Kearns has spent her career at the intersection of open source software and enterprise infrastructure. At Cloud Foundry Foundation, she watched the world's largest organizations bet their digital futures on open source. At Puppet, she saw firsthand how automation was the only viable path to managing infrastructure at scale. Her appointment as CEO of ActiveState isn't a standard leadership transition. It's a signal that the industry is moving from experimental growth to mature governance, and that the software supply chain has finally become a boardroom problem. The 96% Problem Nobody Is Talking About Here's a number that should get every CISO's attention: roughly 96% of modern applications contain open source components. That means the vast majority of proprietary software is built on code the organization didn't w...
Post a Comment
Read more

Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet.

  Open Source Is on Every Balance Sheet. Most Organizations Have Just Not Found It Yet. By Jacqueline Winter, CFO & CISO, ActiveState Every CFO understands that an unmanaged liability is a governance failure. It does not matter whether the liability is in the loan portfolio, the vendor contract stack, or the software supply chain. The principle is identical: if you have assumed exposure you have not priced, quantified, or assigned to an owner, you have a governance gap. And governance gaps do not stay academic. Recent systemic failures have turned this abstraction into a hard reality for a number of organizations. The elementary-data package, downloaded more than 1 million times per month from PyPI, was pushing malicious code to production environments after attackers used a compromised GitHub Actions workflow to access signing keys and publish a credential-harvesting version. The Bitwarden CLI NPM package was compromised in a coordinated campaign designed to sweep credentials ...
Post a Comment
Read more

Due Diligence You Would Never Skip Anywhere Else

The Due Diligence You Would Never Skip Anywhere Else By Jacqueline Winter, CFO & CISO, ActiveState Every CFO who has ever approved a contract, signed off on an M&A transaction, or capital allocation request understands one thing with complete clarity: unreviewed liability is a governance failure. You do not let unvetted instruments into a financial portfolio. You do not close an acquisition without knowing what is on the balance sheet. Due diligence is not optional. It is the minimum condition for defensible decision-making.  Open source software is the largest unmanaged liability on the enterprise technology balance sheet, and in most organizations it does not appear on any ledger the board reviews. April 2026 gave us four incidents that make the cost of that oversight very concrete. What the Board Has Not Been Told OpenAI revoked its macOS app signing certificate after a compromised Axios dependency executed briefly in a GitHub workflow. Two separate attackers poisoned w...
Post a Comment
Read more