Gold Registry

Gold is Safeguard's curated registry of open source packages and container images that have been verified, hardened, and continuously monitored to contain zero critical CVEs, zero high CVEs, and zero malware. You pull a Gold artifact and you stop inheriting vulnerabilities you never chose.

What's in Gold

Over 6,000 artifacts across ten ecosystems:

All artifacts ship with a CycloneDX SBOM and a Sigstore signature.

What "Gold" Actually Means

Every Gold artifact passes, and continues to pass, these checks:

1. Zero critical and high CVEs in the artifact and in any level of its dependency tree (up to 100 levels deep).
2. Zero malware — Eagle (our classification model) has scanned and cleared every byte.
3. License verification — license is identified, compatible, and recorded in the SBOM.
4. Provenance — the artifact has a verifiable build attestation (SLSA Level 3+).
5. Signed — every artifact is signed with a Safeguard Sigstore identity.
6. Maintainer assessment — upstream maintainer health is scored; abandoned packages are not admitted.
7. Continuous revalidation — every Gold artifact is rescanned on every vulnerability feed update. If a new CVE is found, the artifact is either patched or de-listed.

Using Gold

Container Images

# Instead of:
FROM node:20-alpine

# Use:
FROM registry.safeguard.sh/gold/node:20

RUN npm ci
CMD ["node", "server.js"]

The Gold image has identical API, binaries, and behavior — just without the vulnerabilities. Pin by digest for reproducibility:

FROM registry.safeguard.sh/gold/node:20@sha256:abc123...

npm / PyPI / Maven / NuGet

Set the Safeguard Gold registry as an upstream in your package manager config and let it transparently substitute Gold artifacts:

# .npmrc
registry=https://registry.safeguard.sh/gold/npm/
//registry.safeguard.sh/gold/npm/:_authToken=${SAFEGUARD_TOKEN}

# pip.conf
[global]
index-url = https://registry.safeguard.sh/gold/pypi/simple
extra-index-url = https://pypi.org/simple

<!-- settings.xml -->
<repository>
  <id>safeguard-gold</id>
  <url>https://registry.safeguard.sh/gold/maven</url>
</repository>

Helm

helm repo add safeguard-gold https://registry.safeguard.sh/gold/helm
helm install my-release safeguard-gold/ingress-nginx

Custom Gold Requests

Need a hardened version of a package that isn't in Gold yet? Open a custom Gold request:

safeguard gold request \
  --ecosystem npm \
  --package react-router-dom \
  --version "^6.22.0"

Griffin generates a patched build, runs compatibility tests, and pushes to Gold typically within 24 hours. Enterprise tenants get a 4-hour SLA.

Zero-CVE Forks

When a package has an unpatched CVE and upstream hasn't released a fix, Gold publishes a forked version with the CVE patched. Naming convention:

• @safeguard-gold/<pkg> on npm
• safeguard-gold-<pkg> on PyPI
• com.safeguard.gold:<pkg> on Maven

The fork tracks upstream closely; Griffin submits the same fix upstream where possible.

Auditability

Every Gold artifact has a public evidence page at registry.safeguard.sh/gold/<ecosystem>/<package>/<version>:

• SBOM (CycloneDX + SPDX).
• Build provenance (SLSA).
• Sigstore signature and transparency log entry.
• Test results from Gold's compatibility suite.
• CVE scan history.
• License report.

Auditors can pull this evidence directly for FedRAMP, EO 14028, or CRA compliance.

Pricing and Access

• Free tier — pull public Gold artifacts; rate-limited.
• Pro — unlimited pulls, SLA on custom requests, private Gold forks.
• Enterprise — dedicated mirror inside your VPC, air-gapped snapshot delivery, custom SLA.

Related

• Self-Healing Containers — autonomous patching that ties into Gold.
• Continuous Scanning — how Gold artifacts are continuously revalidated.
• Attestation & Signing — the Sigstore layer under Gold.
• OSM — Open Source Manager uses Gold for dependency recommendations.