As AI coding assistants proliferate, ActiveState delivers the only tool-agnostic, built-from-source open source security layer that governs dependency ingestion regardless of which AI tool developers use

VANCOUVER, BC, April 30, 2026 /PRNewswire/ — ActiveState, a global leader in trusted, managed open source software, today announced expanded support for AI-assisted development environments through the ActiveState Curated Catalog. Because the Curated Catalog delivers open source components through standard artifact repositories and native package managers, it works wherever developers pull dependencies, including AI coding environments such as Cursor, Claude Code, GitLab Duo, Tabnine, Windsurf, and JetBrains AI. Security governance moves with the developer, not around them.

The Problem: AI Coding Assistants Generate Open Source Risk at Machine Speed
The security risk at the heart of AI-assisted development is not the AI tool itself. It is the open source software those tools pull from public registries when generating code. Every prompt is a potential dependency request, and the registries those requests hit were not designed with enterprise security posture in mind. The attack surface is expanding at machine speed, and the security teams responsible for it are not.

How the ActiveState Curated Catalog Works
The ActiveState Curated Catalog addresses this directly. Security teams curate a private, policy-governed repository of open source components drawn from the ActiveState Library, a collection of more than 79 million components built from source within SLSA Level 3 infrastructure. When an AI coding assistant requests a package or a dependency, it pulls from that curated catalog rather than a public registry. Ensuring that developers use packages that are built from source, continuously monitored, and automatically updated when community-approved fixes are available. Governance is embedded at the point of consumption, which is the only place it can realistically keep pace with AI-generated code volume.

Key Capabilities

• Tool-agnostic integration: Works with any AI coding assistant that pulls dependencies from standard artifact repositories or native package managers, including Cursor, Claude Code, GitLab Duo, Tabnine, Windsurf, and JetBrains AI.
• 79 million built-from-source components across 12 languages: Every component in the ActiveState Library is built from source within SLSA Level 3–compliant infrastructure, delivering verified provenance and an immutable audit trail.
• Contractual SLAs for vulnerability remediation: Critical CVEs remediated within 5 business days, high within 10, and all others within 30, against an industry average mean time to remediate that lags upwards of 60 days.
• Native artifact repository compatibility: Works seamlessly with popular artifact repositories like JFrog Artifactory, Sonatype Nexus, GitHub Packages, AWS CodeArtifact, GitLab Package Registry, Google Artifact Registry, Azure Artifacts, and others. No new tooling or CI/CD changes required.
• Continuous monitoring and automatic updates: When the open source community releases a fix, ActiveState builds and publishes the updated component automatically. Security teams are not handed a CVE backlog to manage themselves.
  Why Security Cannot Be Tethered to a Single AI Tool
  “The market is moving toward deeply coupled integrations between individual AI coding tools and security vendors,” said Abby Kearns, CEO, ActiveState. “That is the wrong frame. Your developers are not using one AI tool, and they may not be using the same one in 18 months. The security layer cannot be coupled to the tool. It has to be coupled to the dependency. That is exactly what the Curated Catalog does, and it is why our architecture was built this way from the start.”
  What This Means for Security Leaders: Provenance, Compliance, and Personal Liability
  In the 2026 regulatory environment, the burden of proof has shifted. The EU Cyber Resilience Act and SEC disclosure requirements place the onus on security leaders to demonstrate that software was secure at the point of origin. Pointing to a scanner is not a sufficient defense. ActiveState’s immutable provenance, automated audit trails, and contractual remediation SLAs constitute a reasonably designed program under current regulatory frameworks, one that protects the organization and the security leader personally.

To learn more about the ActiveState Curated Catalog, visit www.activestate.com.

About ActiveState
ActiveState enables DevSecOps teams to improve their security posture while simultaneously increasing productivity and innovation to deliver secure applications faster. The company provides a trusted catalog of more than 79 million secure open source components and container images that can be consumed via artifact repository, CI/CD, IDE, or directly from ActiveState. ActiveState continuously monitors and updates the open source components to help keep companies vulnerability free. Companies using ActiveState see a 60-99% reduction in CVEs, improving their security posture, and save as much as 30% of developer time, eliminating the engineering toil typically associated with using open source software in commercial applications. Learn more at www.activestate.com.

View original content to download multimedia:https://www.prnewswire.com/news-releases/activestate-curated-catalog-secures-ai-generated-code-across-any-development-environment-302758350.html

SOURCE ActiveState