500K+ zero-CVE components
Every artifact in the Safeguard Gold Registry is built, scanned, attested, signed, and shipped by us — zero known CVEs at publish time, monitored continuously, and rebuilt when an upstream CVE appears.
By ecosystem
Ten ecosystems, weighted toward what teams actually deploy. Coverage is reported against each ecosystem's most-installed packages.
Growth curve
From 6,000-artifact milestone (Feb 2026) to 500K+ in four months.
- Feb 20266,000Gold Registry milestone — curated launch
- Mar 202660KTop-1K-per-ecosystem expansion
- Apr 2026180KMass-ingestion + automated rebuild pipeline
- May 2026420KFull-tail coverage across major package managers
- Jun 2026500K+Current — every major package manager covered
How “zero-CVE” is measured
Zero-CVE at publish: every artifact passes a five-stage pipeline — reproducible build, SBOM generation, vulnerability scan against NVD + OSV + GitHub Advisories + vendor-specific databases, in-toto attestation, and Sigstore signing. Publish is blocked if any stage detects a known CVE in the artifact or its transitive build inputs.
Continuous monitoring: when a new CVE is published against an upstream component, the affected Gold artifact is rebuilt with the patched upstream (or with a Safeguard-maintained backport when upstream has gone quiet) and republished. Customers see the new digest in their TPRM feed within hours.
What it excludes: “zero-CVE” refers to known, published CVEs. It does not claim absence of undiscovered vulnerabilities — that's what reachability analysis, Griffin AI's Zero Day discovery pipeline, and runtime guardrails address.