With the proliferation of AI coding assistants, ActiveState provides a tool-agnostic, open source security layer built from a single source that manages dependency incorporation, regardless of which AI tools developers use.
ActiveState, the world leader in trusted managed open source software, announced that it is expanding support for AI-assisted development environments through the ActiveState Curated Catalog. Curated Catalog delivers open source components through standard artifact repositories and native package managers, so it works wherever developers get their dependencies, including AI coding environments like Cursor, Claude Code, GitLab Duo, Tabnine, Windsurf, and JetBrains AI. Security governance works with developers, not around them.
The problem: AI coding assistants create open source risks at machine speed
The core security risk of AI-assisted development is not the AI tool itself. When these tools generate code, they pull it from public registries, which is open source software. All prompts are potential dependency requests, and the registries that those requests hit were not designed with an enterprise’s security posture in mind. The attack surface is growing at the speed of machines, but the security teams responsible for it are not.
How ActiveState Curated Catalog works
ActiveState Curated Catalog addresses this directly. The security team maintains a private, policy-managed repository of open source components drawn from the ActiveState library, a collection of more than 79 million components built from source within the SLSA Level 3 infrastructure. When the AI coding assistant requests a package or dependency, it retrieves it from a curated catalog instead of a public registry. We ensure that developers use packages that are built from source, continuously monitored, and automatically updated when community-approved fixes become available. Governance is built in at the point of consumption and is the only place that can realistically accommodate the amount of code that AI generates.
Also read: AiThority Interview with Glenn Jocher, Ultralytics Founder and CEO
Main features
- Tool-independent integration: Work with AI coding assistants that pull dependencies from standard artifact repositories or native package managers, such as Cursor, Claude Code, GitLab Duo, Tabnine, Windsurf, and JetBrains AI.
- Components built from 79 million sources across 12 languages: All ActiveState Library components are built from source in an SLSA Level 3 compliant infrastructure, providing verified provenance and an immutable audit trail.
- Contractual SLA for vulnerability remediation: Critical CVEs were remediated within 5 business days, high within 10 business days, and all others within 30 business days, compared to the industry average of over 60 days.
- Native artifact repository compatibility: Works seamlessly with popular artifact repositories such as JFrog Artifactory, Sonatype Nexus, GitHub Packages, AWS CodeArtifact, GitLab Package Registry, Google Artifact Registry, and Azure Artifacts. No new tools or CI/CD changes required.
- Continuous monitoring and automatic updates: When the open source community releases fixes, ActiveState automatically builds and publishes updated components. Security teams are not given a CVE backlog to manage on their own.
Why security can’t be tied to a single AI tool
“The market is moving toward tighter integration between individual AI coding tools and security vendors,” said ActiveState CEO Abby Kearns. “That’s the wrong frame. Developers aren’t using one AI tool. They might not be using the same AI tool 18 months later. You can’t tie a security layer to a tool. You have to couple it to a dependency. That’s exactly what a curated catalog does and why our architecture was built this way from the beginning.”
What this means for security leaders: provenance, compliance, and personal responsibility
In the 2026 regulatory environment, the burden of proof has changed. EU Cyber Resilience Law and SEC disclosure requirements place the onus on security leaders to prove that software is secure at the point of origin. Simply pointing at the scanner is not sufficient protection. ActiveState’s immutable provenance, automated audit trails, and contractual remediation SLAs constitute a rationally designed program under current regulatory frameworks to personally protect organizations and security leaders.
Also read: The infrastructure war behind the AI boom
[To share your insights with us, please write to psen@itechseries.com ]
