ActiveState shifts AI security to an open source dependency model, delivering a tool-agnostic, built-from-source layer to curb supply chain risk and meet compliance demands.
ActiveState has expanded its Curated Catalog to support AI-assisted development environments, positioning it as a tool-agnostic, built-from-source open-source security layer that governs dependencies across ecosystems.
The move addresses a growing risk: AI coding assistants routinely pull open-source dependencies from public registries, where each prompt can introduce insecure components. These registries were not designed for enterprise-grade security, rapidly expanding the software supply chain attack surface.
ActiveState’s Curated Catalog counters this by enabling security teams to create private, policy-governed repositories of open-source components sourced from its library of more than 79 million packages. Instead of public registries, AI tools pull dependencies from this curated layer—ensuring components are built from source, continuously monitored, and automatically updated with verified fixes. Governance is enforced at the point of dependency consumption, aligning security with AI-driven development speed.
All components are built under SLSA Level 3 infrastructure, delivering verified provenance and immutable audit trails. The system integrates across AI coding assistants including Cursor, Claude Code, GitLab Duo, Tabnine, Windsurf, and JetBrains AI, reinforcing a key shift: security is tied to dependencies, not tools.
The platform also supports compliance with frameworks such as the EU Cyber Resilience Act and U.S. Securities and Exchange Commission disclosure requirements, offering contractual SLAs with remediation timelines of five days for critical vulnerabilities—far ahead of the 60+ day industry average.
“The market is moving toward deeply coupled integrations between individual AI coding tools and security vendors,” said Abby Kearns, CEO, ActiveState. “That is the wrong frame. Your developers are not using one AI tool, and they may not be using the same one in 18 months. The security layer cannot be coupled to the tool. It has to be coupled to the dependency. That is exactly what the Curated Catalog does, and it is why our architecture was built this way from the start.”
By automating monitoring, rebuilding, and patching of open-source components, ActiveState eliminates manual CVE backlogs—marking a shift towards dependency-centric, machine-speed open-source governance.
