Validation of open source artifacts

Ensuring that your open source artifacts (packages, dependencies, bundles, binaries, etc.) are free from vulnerabilities is an important way of securing your software supply chain. Each artifact in your ActiveState runtime is built securely from source, following the SLSA framework best practices, including:

  • Isolated and ephemeral build environments- each build environment exists solely to build your runtime.
  • Runtime built as code- build files are stored in a version control system, ensuring that the build process can be reviewed and recreated if needed.
  • Non-falsifiable provenance- prevents users from tampering with build service-generated provenance. This only extends to the runtime itself, any first party code generated by the user is not covered.

When managing your project, the State Tool validates the checksum of each artifact in your runtime to ensure that what you have received is correct, untampered, and uncorrupted. If a security vulnerability is discovered in one of your artifacts, a CVE report can be generated for review. You can then choose how to remediate the risks to your project.