gastropod
contact us COMING-SOON

gastropod.io

coming soon · releasing before the end of June

Artifact Intelligence

for the software supply chain

gastropod.io is a developer-friendly artifact registry and control plane for Go, npm, Debian, and more. It gives teams a PURL-keyed catalog, pull-through provenance, scanner-ready artifacts, and audit evidence without changing how developers want to work.

contact us see the shape
PURL-keyed catalog proxy / cache who-pulled-what audit scanner handoff cloud or self-hosted

small surface area. useful answers.

The placeholder version: enough to say what matters, not so much that it reads like enterprise wallpaper.

01

one identity, every ecosystem

Normalize packages and artifacts into a single PURL-based catalog across Go, npm, Debian, and additional ecosystems as they land.

02

hosted or proxied

Publish private packages, cache public ones, or route installs through a controlled endpoint that still feels natural to developers.

03

know who pulled what

Attribute every pull to a principal, repo, token, and consumer so teams can reconstruct exactly where an artifact went.

04

scanner-ready artifacts

Pull the exact artifact once, preserve its identity, and present it cleanly to the tools your team already uses.

05

audit-first metadata

Checksums, versions, access events, SBOM context, and provenance become part of the normal artifact flow.

06

boring where it counts

API tokens, registry config, role-based access, exportable records, and deployment choices that fit real engineering teams.

point your tools at gastropod.

Developers keep pulling packages. Security gets the artifact-level trail it has always wanted.

Artifact flow Repository and package manager pull artifacts through gastropod.io, then route artifact identity and metadata to scanners and audit records. repo ci / local / api gastropod resolve · record stage · attest scanner artifact handoff package npm · go · debian audit who pulled what purl + digest
developer setup copy/paste friendly

example

# .npmrc
registry=https://registry.gastropod.io/npm/acme/platform/
//registry.gastropod.io/:_authToken=$GASTROPOD_TOKEN

# then install normally
npm install

 artifact resolved
 digest recorded
 pull attributed
 evidence retained
modeshapestatus
cloudhosted registrysoon
self-hostedyour environmentsoon
enterprisededicated setuptalk

pricing that starts simple.

Free for early builders, business plans for growing teams, and dedicated enterprise options when procurement gets involved.

$0

free

Public packages, small private usage, enough storage to kick the tires, and a clean path to production.

$

business

Private repositories, more seats, role-based access, audit logs, and priority support for engineering teams.

enterprise

Dedicated deployment choices, compliance support, procurement paperwork, and help getting the control plane in place.