Secure Binaries and Community Binaries

Artifacts available on the ActiveState Platform are separated into “Community Binaries” available to all users, and “Secure Binaries” available to paid tiers (e.g. Team and Enterprise).

Community Binaries

ActiveState empowers all users to include artifacts built and provided by the community in their runtimes. These Community Binaries are easily accessible to all users across all languages available on the Platform.

Because the origins of these artifacts are unclear or unverifiable, ActiveState does not classify the artifact as “secure”. This does not imply that the binary, dependency, etc. is “insecure” or poses an automatic risk to your system. Instead, ActiveState cannot ensure the authenticity and provenance of the artifact since we cannot verify

  • Who built it
  • Where it was built
  • The conditions under which it was built

While including Community Binaries in your project is convenient, they can introduce a level of uncertainty regarding your project’s security. The origins of these binaries raise questions about potential vulnerabilities, their source, the build process, and the legitimacy of the included code.

Secure Binaries

Team and Enterprise users have access to a catalog of Secure Binaries that ActiveState ingests and scores for safety. These binaries then

  • Use a build service that offers isolated, ephemeral, hermetic, and verifiably reproducible builds.
  • Are all built from source down to system-level dependencies.
  • Provide users with provenance information and attestations on how it was built and who built it.

Community and Secure Binaries on the Platform

For paid tier (e.g. Team and Enterprise) users, Community and Secure binaries can be added to a project from the Configuration tab on the project page.

After completing your selection and saving the changes, go to the Download Builds tab on your project page to assess the associated risk to your project. You will find the security status of your project presented as a pie chart and the percentage labeled as “Secure.” There is also a brief summary of the number of packages in your project that were built using a secure build process and how many originated from a build process that cannot be verified.

For more detailed information about which specific packages were built using a secure build process, click the Package Build Status dropdown.

alt_text

The table shows all currently completed artifacts included in your project as well as the status of their build process. Scroll down to find the packages with an unknown build process, and decide what actions (if any) you want to take to remediate the risk to your project.

alt_text

Artifacts with an unknown build process pose a potential risk to your project, given that ActiveState cannot verify their origin or contents. The level of security for your project hinges on your tolerance for risk. If your projects require 100% security for compliance or regulatory purposes, please contact us.