Skip to main content

CleanLibrary

CleanLibrary is a verdict-aware package enforcement layer for software supply chain security. Point your native package managers (npm, pip, go, cargo) at CleanLibrary's endpoints, and CleanLibrary serves package artifacts with an attached verdict and a signed policy attestation.

You get the same artifact bytes as upstream, plus signed metadata about whether the package is judged safe under your policy.

How it works

  1. Mirror + serve — CleanLibrary mirrors upstream packages and serves them unchanged from a content-addressed catalog.
  2. Verdict — every package carries a verdict (ALLOW / DENY / WARN) from CleanStart's analysis engine, with reasoning and confidence.
  3. Policy — you author the policy that decides what each verdict means for your organization, including explicit, audited risk-acceptance for packages you must keep.
  4. Attestation — every served artifact is signed with a cosign attestation binding the verdict and policy decision, so your compliance team can verify provenance.

Supported ecosystems

npm · PyPI · Go · crates

Get started

For access, contact CleanStart at cto.office@cleanstart.com.