security & trust
We're asking you to route your software supply chain through us, so we'll be straight about how it's built and what it does. Here's exactly what's in place today — and, lower down, what we don't yet claim.
Your data stays isolated
Strict one-org-per-tenant separation with its own datasets, keys, and quotas. Private packages, dependency graphs, and pull history live inside your boundary — nothing is pooled across tenants. Self-host it air-gapped and it never leaves your network at all.
Encrypted in transit & at rest
TLS on the wire; storage encrypted at rest. Content is addressed by sha256, so every blob is verified by its own digest on the way in and on the way out.
Access control, every tier
SSO via OIDC is an operational security feature, not an upsell — it's on every plan. Scope people and machines with role-based access (admin / publisher / reader) and narrowly-scoped API tokens.
Integrity & provenance
Pulls are checked against the source of truth: Go's sum.golang.org
h1 log, npm SRI, Sigstore attestations, and signed apt repositories. Identity drift
and tampered artifacts get caught, not waved through.
An exportable audit spine
Every pull is attributed to a principal — who, what, from where, when — and a CycloneDX SBOM can be rebuilt on demand from it. It's a first-class surface you can query and export whenever you need it.
What we don't claim
An honest page is more useful than a wall of logos, so:
- SAML & SCIM aren't shipped yet — OIDC SSO is. Both are on the roadmap; if your IdP needs SAML today, tell us and we'll talk timelines.
- Formal attestations (SOC 2, ISO 27001): we won't imply a certification we don't hold. If one is a procurement gate for you, talk to us about where we are and what we can commit to.
Building the supply-chain tool means holding ourselves to its standard. We'd rather you read this and trust the rest of the page.