Artifacts available on the ActiveState Platform are separated into “Community Binaries” available to all users, and “Secure Binaries” available to paid tiers (e.g. Team and Enterprise).
ActiveState empowers all users to include artifacts built and provided by the community in their runtimes. These Community Binaries are easily accessible to all users across all languages available on the Platform.
Because the origins of these artifacts are unclear or unverifiable, ActiveState does not classify the artifact as “secure”. This does not imply that the binary, dependency, etc. is “insecure” or poses an automatic risk to your system. Instead, ActiveState cannot ensure the authenticity and provenance of the artifact since we cannot verify
While including Community Binaries in your project is convenient, they can introduce a level of uncertainty regarding your project’s security. The origins of these binaries raise questions about potential vulnerabilities, their source, the build process, and the legitimacy of the included code.
Team and Enterprise users have access to a catalog of Secure Binaries that ActiveState deems “safe”, as they
For paid tier (e.g. Team and Enterprise) users, Community and Secure binaries can be added to a project from the Configuration tab on the project page.
After completing your selection and saving the changes, go to the Download Builds tab on your project page to assess the associated risk to your project. You will find the security status of your project presented as a pie chart and the percentage labeled as “Secure.” There is also a brief summary of the number of packages in your project that were built using a secure build process and how many originated from a build process that cannot be verified.
For more detailed information about which specific packages were built using a secure build process, click the Package Build Status dropdown.
The table shows all currently completed artifacts included in your project as well as the status of their build process. Scroll down to find the packages with an unknown build process, and decide what actions (if any) you want to take to remediate the risk to your project.
Artifacts with an unknown build process pose a potential risk to your project, given that ActiveState cannot verify their origin or contents. The level of security for your project hinges on your tolerance for risk. If your projects require 100% security for compliance or regulatory purposes, please contact us.