Home Source code ActiveState Artifact Repository Reduces Risk to Secure Python Supply Chain

ActiveState Artifact Repository Reduces Risk to Secure Python Supply Chain


ActiveState publishes ActiveState Artifact Repository to enable organizations to securely create Python dependencies directly from source code.

Rather than importing pre-built Python dependencies from a public repository like Python Package Index (PyPI), or from an internal build process which may not be secure against supply chain attacks, all Python artifacts are created through ActiveState’s secure build service and stored directly in their own private ActiveState artifact repository for distribution, creating a closed-loop environment that maximizes supply chain security.

ActiveState’s Secure Build Service supports security and integrity controls defined at the highest level of the Software Artifact Supply Chain Tiers (SLSA) framework, significantly reducing the risk of working with predefined Python dependencies. The ActiveState Artifact Repository is a private, customer-customized repository that will only contain Python packages that have been verified by the organization’s security team.

When developing with Python, software vendors typically use their artifact repository to proxy the Python Package Index (PyPI) which provides no security or integrity guarantees for the third-party software assets they provide. In contrast, the ActiveState Artifact Repository provides software vendors with a catalog of secure Python dependencies that have already been vetted by their security team, reducing the risk of using third-party components.

Organizations that create Python dependencies from source code create unique versions that are rarely updated, resulting in buggy and vulnerable applications; or they are forced to implement and maintain separate build systems for each operating system (OS) that developers and deploying systems need, resulting in high operational overhead. Conversely, the ActiveState artifact repository:

  • Ensures the security and integrity of Python artifacts that developers work with.
  • Eliminates the overhead of creating and maintaining build environments for Windows, Mac, and Linux.
  • Uses a secure, cloud-based build service to eliminate the need to periodically audit internal build systems for any compromises.

As a result, software vendors now have a much more secure and cost-effective way to make trusted Python dependencies available to development and DevOps teams.

Loreli Cadapan, VP, Product, ActiveState, said, “Artifact repositories are a proven way to create a consistent and reliable software development process. But the final product is as safe and secure as the initial entries in the artifact repository. This is where ActiveState excels. The ActiveState Artifact Repository reduces the risk and cost of securing your Python supply chain while ensuring the security and integrity of the products and services you create.