IT Brief Asia - Technology news for CIOs & IT decision-makers
Asia
Glowing secure data hub with network of open source package cubes
#
DevOps
#
Digital Transformation
#
Application Security

ActiveState unveils 79m-strong secure open source catalogue

Fri, 20th Feb 2026
Author image
By Kaleah Salmon, News Editor

ActiveState has launched what it calls the world's largest secure open-source catalogue, listing 79 million components across more than a dozen programming-language ecosystems.

The Vancouver-based company is positioning the catalogue as a single source for organisations that currently retrieve open-source packages from multiple public repositories. It said this could reduce exposure to known vulnerabilities and cut the time developers spend on ongoing remediation.

Many DevSecOps teams work across multiple languages simultaneously, often including Java, JavaScript, Go, Python, and R. Maintaining separate supply chains for each language can complicate patching cycles, dependency tracking, and internal compliance.

Catalogue scope

ActiveState said the catalogue now spans more than 12 languages, including Java, JavaScript, Go, Python, and R. It also includes Rust, PHP, .NET, and several C-family languages, including C#.

ActiveState positioned the catalogue as an alternative to security tools focused on scanning and to container-only controls. It stated that container images are outputs of the catalogue, not the primary control point.

Organisations often consume open source through a mix of direct downloads, package managers and container registries. Risk increases when maintenance and update practices vary across projects. Vulnerabilities in transitive dependencies and shared libraries can also force rapid upgrades or component replacements.

ActiveState said centralising access to components reduces fragmentation. It described the catalogue as continuously maintained and monitored for vulnerabilities, and highlighted a five-business-day remediation service level agreement for critical CVEs.

Build process

The catalogue relies on components built from source code. ActiveState said it uses an SLSA-3-hardened build environment and that its open-source build factory completed nearly 1 million successful builds in 2025 for more than 200 global clients.

Those builds include more than the requested package. ActiveState said it incorporates language runtimes, dependencies and operating system requirements specified by customers to produce repeatable artefacts across environments.

ActiveState also addressed concerns about proprietary formats, saying customers are not locked into a proprietary packaging approach. It said it can deliver artefacts as container images, native file types, or managed distributions.

Customer claims

ActiveState said organisations using the catalogue can reduce CVEs by up to 99% and reclaim up to 30% of engineering time spent managing open source risk. It listed Altair, Cisco, Moody's and Tesco as users.

A public-sector example came from Finland. "We use Python and R in our software development efforts at Statistics Finland, and sourcing, managing, and maintaining those from different sources increased our operational burden and risk profile," said Juhani Kauppo, project manager at Statistics Finland.

"Partnering with ActiveState and sourcing our OSS from their library has allowed us to strip away that overhead and strengthen our security posture. That gives our developers more time to focus on innovation and brings peace of mind to our security team," Kauppo said.

Market context

Open source software underpins a large share of modern applications. Many organisations now standardise on five to seven languages across teams, increasing the number of upstream projects they depend on. This growth has raised the operational burden for software supply chain governance, including bill of materials management and vulnerability response.

ActiveState also cited AI coding tools as a factor contributing to the volume of third-party dependencies in codebases. More generated code can lead to more indirect package pulls and less visibility into component origins.

ActiveState said the catalogue reached 40 million components in mid-2025 after adding Java and R to its earlier coverage, which included Python, Perl, Ruby, and Tcl. The latest expansion brings the total to 79 million components.

Bob Shaker, ActiveState's chief product and technology officer, said customers are shifting open source maintenance work to the supplier. "Our customers are seeing the benefit of offloading the management and maintenance of open source to ActiveState," he said.

"Our built-from-source components, ongoing CVE management, and integration with package repositories gives companies all of the benefits of open source without the headaches or being trapped into only using containers; ActiveState can also deliver these in native file type or managed distributions. This truly revolutionizes how modern software is managed," Shaker said.

Related stories
Zapier expands AI governance controls for enterprise users
Portal26 launches token controls for autonomous AI agents
Avatier launches offline card after Stryker cyberattack
Merck signs USD $1 billion AI deal with Google Cloud
Mars expands Google Cloud AI tie-up with Gemini Enterprise

Top stories

AI tools widen cyber attack threat, Flashpoint warns
AI flaws & supply-chain risks top new pentesting report
ACI joins Harmonic open cOS Amply ecosystem for DOCSIS 4.0
Exclusive: Google Cloud on the road to autonomous SecOps
Quantum Computing launches NeuraWave for edge AI inference