10M+ zero-CVE components
Every artifact in the Safeguard Gold Registry is built, scanned, attested, signed, and shipped by us — zero known CVEs at publish time, monitored continuously, and rebuilt when an upstream CVE appears.
By ecosystem
Ten ecosystems, weighted toward what teams actually deploy. Coverage is reported against each ecosystem's most-installed packages.
Growth curve
From 6,000-artifact milestone (Feb 2026) to 10M+ in three months.
- Feb 20266,000Gold Registry milestone — curated launch
- Mar 2026180KTop-1K-per-ecosystem expansion
- Apr 20262.1MMass-ingestion + automated rebuild pipeline
- May 202610M+Current — full-tail coverage of every major package manager
How “zero-CVE” is measured
Zero-CVE at publish: every artifact passes a five-stage pipeline — reproducible build, SBOM generation, vulnerability scan against NVD + OSV + GitHub Advisories + vendor-specific databases, in-toto attestation, and Sigstore signing. Publish is blocked if any stage detects a known CVE in the artifact or its transitive build inputs.
Continuous monitoring: when a new CVE is published against an upstream component, the affected Gold artifact is rebuilt with the patched upstream (or with a Safeguard-maintained backport when upstream has gone quiet) and republished. Customers see the new digest in their TPRM feed within hours.
What it excludes: “zero-CVE” refers to known, published CVEs. It does not claim absence of undiscovered vulnerabilities — that's what reachability analysis, Griffin AI's Zero Day discovery pipeline, and runtime guardrails address.