ActiveState has announced the expansion of its secure open source catalog to encompass a staggering 79 million components, effectively doubling its coverage since 2025. This comprehensive catalog now supports over 12 programming languages, providing DevSecOps teams with a centralized resource for trusted open source components, significantly enhancing their software development and Common Vulnerabilities and Exposures (CVE) remediation efforts.
The ActiveState catalog includes key languages such as Java, JavaScript, Go, Python, and R, offering the broadest selection available in the market today. This release marks a significant shift from traditional scanning tools and image-only hardening techniques to a governed multi-language catalog that standardizes open source consumption for enterprises.
Addressing Open Source Challenges
Open source software serves as the backbone for 96% of modern applications, with organizations typically utilizing between 5 to 7 different languages in their development processes. While open source accelerates software development, it also introduces complexity and security risks. Each download from the open internet or public repositories heightens the exposure to vulnerabilities. Uncertain maintainer integrity and inconsistent update schedules can lead to zero-day threats, undermining a company’s security posture.
Developers face the daunting task of managing and maintaining third-party code to ensure it remains free of vulnerabilities. This responsibility often consumes 30-50% of their time, detracting from innovation and potentially jeopardizing compliance with regulations, which can have serious financial implications. The rise of AI code generators further complicates the landscape by increasing both the volume and opacity of these risks.
Introducing the ActiveState Catalog
ActiveState aims to simplify the open source landscape for DevSecOps teams with its enterprise-grade catalog. Unlike other solutions that focus on isolated languages or container layers, the ActiveState Catalog uniquely combines component-level coverage across the 12 most-used open source ecosystems. This approach standardizes the acquisition and updating of open source components, allowing companies to navigate the complexities of open source more effectively.
Container images are one output of the catalog, but they do not serve as the control point. This ensures that all entities leveraging open source within an organization maintain consistency. ActiveState’s offerings are not locked into proprietary formats, thus avoiding vendor lock-in. All components are continuously monitored and maintained, with an industry-leading five-business-day remediation service level agreement for critical CVEs, built from source in a SLSA-3 hardened environment.
In 2025, ActiveState’s open source build factory completed nearly 1 million successful builds for over 200 global clients. These builds include essential components, language cores, dependencies, and operating systems, ensuring a comprehensive and secure open source experience across the stack.
Companies such as Altair, Cisco, Moody’s, and Tesco have leveraged the ActiveState Catalog to streamline their development processes. By utilizing this resource, they have significantly reduced the time spent by developers searching for and evaluating open source components, achieving time savings of up to 30%. Additionally, these organizations have improved their overall security posture by minimizing CVEs by as much as 99%.
Juhani Kauppo, project manager at Statistics Finland, shared, “We use Python and R in our software development efforts, and sourcing, managing, and maintaining those from different sources increased our operational burden and risk profile. Partnering with ActiveState has allowed us to strip away that overhead and strengthen our security posture.”
ActiveState’s catalog initially grew to 40 million components in mid-2025 by adding support for Java and R, alongside existing offerings for Python, Perl, Ruby, and Tcl. As of January 2026, the catalog has expanded to include additional popular languages such as JavaScript, Go, Rust, PHP, .NET, C, C+, C++, and C#.
Bob Shaker, Chief Product and Technology Officer at ActiveState, stated, “Our customers are seeing the benefit of offloading the management and maintenance of open source to ActiveState. Our built-from-source components and ongoing CVE management provide all the advantages of open source without the associated headaches.”
For more information about ActiveState’s secure open source software catalog, visit www.activestate.com. The company continues to enhance its offerings, enabling organizations to improve their security posture while driving productivity and innovation in application development.
