Safeguard
Back to home
Drill-down · Zero-CVE registry

500K+ zero-CVE components

Every artifact in the Safeguard Gold Registry is built, scanned, attested, signed, and shipped by us — zero known CVEs at publish time, monitored continuously, and rebuilt when an upstream CVE appears.

By ecosystem

Ten ecosystems, weighted toward what teams actually deploy. Coverage is reported against each ecosystem's most-installed packages.

npm
92% of top-50K
160K
PyPI
89% of top-50K
120K
Maven Central
84% of top-25K
55K
NuGet
88% of top-10K
43K
Go modules
76% of top-10K
36K
Rust / crates.io
81% of top-10K
29K
RubyGems
94% of top-5K
20K
PHP Composer
83% of top-5K
19K
Container images
Distroless + minimal
15K
Helm charts
All CNCF-graduated
3.5K

Growth curve

From 6,000-artifact milestone (Feb 2026) to 500K+ in four months.

  1. Feb 2026
    6,000
    Gold Registry milestone — curated launch
  2. Mar 2026
    60K
    Top-1K-per-ecosystem expansion
  3. Apr 2026
    180K
    Mass-ingestion + automated rebuild pipeline
  4. May 2026
    420K
    Full-tail coverage across major package managers
  5. Jun 2026
    500K+
    Current — every major package manager covered

How “zero-CVE” is measured

Zero-CVE at publish: every artifact passes a five-stage pipeline — reproducible build, SBOM generation, vulnerability scan against NVD + OSV + GitHub Advisories + vendor-specific databases, in-toto attestation, and Sigstore signing. Publish is blocked if any stage detects a known CVE in the artifact or its transitive build inputs.

Continuous monitoring: when a new CVE is published against an upstream component, the affected Gold artifact is rebuilt with the patched upstream (or with a Safeguard-maintained backport when upstream has gone quiet) and republished. Customers see the new digest in their TPRM feed within hours.

What it excludes: “zero-CVE” refers to known, published CVEs. It does not claim absence of undiscovered vulnerabilities — that's what reachability analysis, Griffin AI's Zero Day discovery pipeline, and runtime guardrails address.

Product
SBOM Studio →
How customers ingest, slice, and distribute these components.
Product
Marketplace →
Browse the Gold Registry — search by name, license, or ecosystem.