astropod get on the waiting list book a demo

the software-supply-chain registry

Every artifact
leaves a trail.

Identity, provenance, advisories, SBOMs, and a full audit trail attached to every artifact in one product — the work other products sell as separate add-ons. Cloud or self-hosted, for less.

get on the waiting list book a demo

Catch a bad package before it spreads.

A gastropod package page for a public npm package published under the private scope @acme-internal/auth-utils. It's flagged 'identity mismatch — declares itself as auth-utils, not the name it was served under; possible namespace confusion', carries an inflated 100.100.100 version served from npmjs.com, and shows four of the company's own internal services depending on it.
A public npm package squatting a company's private @acme-internal scope — flagged at intake on a namespace mismatch, with its tell-tale 100.100.100 version and the four internal services that pulled it. Microsoft flagged 33 such packages impersonating internal corporate scopes in May 2026. See more of the product →

Stop rediscovering what you already know.

The same artifact shows up in dozens of packages, apps, and dependency chains across one company. Resolving and scanning it from scratch every time burns compute, scanner seats, analyst hours — and AI tokens. gastropod makes the artifact the unit of intelligence, so that work is done once per digest and amortized over every place it reappears.

  • Reuse a prior high-quality result instead of re-running it on the same exact digest.
  • When AI-assisted scanners are in the loop, that same dedup cuts duplicate token spend.
  • A new advisory drops and you already know every place that artifact lives — one query, not a fleet-wide rescan.
  • High-criticality artifacts can be forced to re-scan on policy; everything else rides the cache.

The whole supply chain in one tool.

Artifactory needs Xray. Nexus needs Lifecycle. Every capability is another product, another integration, another renewal. gastropod ships the registry, the intelligence, the SBOMs, the advisories, and the audit spine as one thing and costs less than the stack it replaces.

other products

  • Repository manager
  • + security / scanner add-on
  • + SBOM & policy tier
  • + audit / compliance tier
  • = several products, several bills

gastropod

  • Registry + intelligence + SBOM
  • + advisories + blast-radius + audit
  • one self-hostable system
  • = one product, one bill

What you get on day one.

Artifact intelligence

Exact PURL identity, where-seen history, and findings attached to the artifact — knowledge recorded once, not re-derived per project.

Vulnerability advisories

OSV advisories correlated to each package version and surfaced as flags, with the inherited reach across dependents.

Blast-radius mapping

Direct and transitive dependents flattened into queryable edges. When a finding lands, see every package and consumer it reaches.

SBOM & provenance

CycloneDX SBOM reconstructed on demand; pulls verified against Go's checksum database, npm SRI, and Sigstore attestations.

Audit spine

Every pull attributed to a principal — who, what, from where, when — exportable for audit and incident response.

Scanner findings ingest

Bring your own scanner: ingest Trivy, Grype, Snyk, or Anchore output (CycloneDX, OpenVEX, native JSON) and attach it back to the record.

Nine ecosystems and growing.

Go, npm, Debian, OCI, PyPI, Maven, Alpine, RHEL, NuGet, and more — proxied or hosted behind one URL. Point your existing clients at it and watch identity, provenance, and the audit trail fill in.

See what we support and how it works →

What we do — and what we don't yet.

Isolated per tenant, encrypted in transit and at rest, OIDC SSO on every plan, an audit spine you can export. No logo wall — our security page says plainly what's shipped and what's still on the roadmap.

Read the security & trust page →

cloud or self-host; same registry.

See plans →

get on the waiting list book a demo