Product · Safeguard Secure Libraries

Vetted, signed open-source libraries. Fewer CVEs, faster patches, full provenance.

A curated catalogue of OSS libraries across npm, PyPI, Maven, Go, Cargo, and RubyGems — rebuilt with patched transitive dependencies, signed with sigstore, attested in-toto, and shipped through your existing package manager. Drop-in semantics; provenance built in.

6 ecosystems

npm, pypi, maven, go, cargo, gem

Rebuilt

From source, with patches applied

Signed

Sigstore + in-toto attestation

Drop-in

Same names, your existing lockfiles

Capabilities

Drop-in replacements your build won't notice.

Same module names, same APIs, same lockfile shape. The difference is the dependency graph beneath — patched, signed, and provenance-backed.

Curated catalogue across six ecosystems

npm, PyPI, Maven, Go modules, Cargo, and RubyGems. Each catalogue entry is a real OSS library you already depend on, rebuilt with patched transitive dependencies — same module name, same API.

Patched transitive dependencies

When a library you depend on ships a transitive with a known CVE that upstream hasn't fixed, our build re-pins the dependency to a patched version and republishes. The original semantics, minus the CVE.

Signed bundles with in-toto attestation

Every published package carries a sigstore signature and an in-toto attestation pointing at the source commit, the build platform, and the patch set applied. Reproducible, verifiable, auditable.

Lockfile generator

Run the CLI against your existing package.json, requirements.txt, pom.xml, go.mod, Cargo.toml, or Gemfile and get a generated lockfile that pins to the vetted variants where they exist, the original upstream where they don't.

Works with your package manager

Configure your registry to fall back through the Safeguard mirror. npm install, pip install, mvn install, go get, cargo build, bundle install — no syntax change for the engineer, no new CLI to learn.

Fast patch SLAs published per library

Each library in the catalogue ships with a stated patch SLA — most are under 48 hours from upstream disclosure. The SLA is tracked against actual delivery and published as a rolling time-series.

How it works

From mirror config to signed install.

Browse the catalogue

Search for the libraries you already depend on. Each entry shows the upstream version, the patches applied, the SBOM, and the signature.

Add the mirror to your registry config

One config line: an .npmrc entry, a pip index URL, a Maven settings.xml mirror, a Go GOPROXY value. Your package manager keeps working as it does today.

Generate or refresh the lockfile

Run the Safeguard CLI lockfile generator. The output pins to vetted variants for libraries we cover; upstream is used for the rest.

Verify on install

Configure your install step to check signatures. Unsigned packages fail closed. The verification key is pinned, so a compromise of the public registry doesn't matter.

Receive patch notifications

Subscribe to the libraries you pulled. New patched versions notify your team, with the CVE delta and an upgrade command for your package manager.

Operational notes

Same engineer experience.

Same module names. Your import statements don't change. The catalogue is a transparent overlay, not a fork.

Air-gap support — pre-download the catalogue, verify the bundle, install offline. No SaaS call required at build time.

Falls back to the upstream registry for libraries we haven't curated. You get vetted variants where they exist, upstream where they don't.

Compatible with private registries — JFrog, Sonatype, GitHub Packages, AWS CodeArtifact. The mirror chains beneath your internal one.

How SCA reads the patched lockfile

Patch the dependencies upstream hasn't.

Browse the catalogue, run the lockfile generator against one of your repos, and see how many CVEs disappear in a single mirror change.