Repod logo Repod

Secure your software
supply chain.

Self-hosted APT repository manager with built-in CVE scanning, CISO approval queue, and NIS2 compliance — no cloud dependency.

Request a demo Free Community Edition
NIS2 Article 21 compliant AV & CVE scanning built-in Deploy in 5 minutes MIT · free forever

Every package goes through

Upload
Package received
Scan AV
ClamAV
CVE Analysis
Grype
GPG Sign
Auto-signed
CISO Approve
Dual control
Deploy
Ready in APT
The reality

Public repositories ship
trust issues along
with every package.

Every public mirror is an uncontrolled surface. No vulnerability gate, no signature verification on delivery, no audit trail. The attack surface grows with every apt-get install.

29,000+
new CVEs published every year
Any of which can silently affect a package in your public mirror.
NIST NVD, 2023
245%
surge in supply chain attacks
Public repositories are the primary attack vector.
Sonatype SSSC Report
1 in 8
open-source packages are vulnerable
Downloaded and trusted — with no gate between internet and production.
Snyk Security Report 2023
327 days
average time to detect a supply chain breach
Nearly a year of silent exposure before discovery.
IBM Cost of a Data Breach, 2023
Three risks you cannot ignore
01

No verification at the gate

Public apt mirrors deliver packages without real-time vulnerability scanning. A compromised upstream silently updates — your next apt-get ships the malware to every server in your fleet. By the time your team notices, the damage is done.

02

Zero audit trail, zero compliance

You cannot prove what was installed, by whom, and when. NIS2 Article 21 requires exactly this evidence. Without an immutable record of every package event, compliance audits become a manual, error-prone reconstruction exercise.

03

Silent dependency drift

Transitive dependencies update without notice. A package your team trusted last quarter may pull in a newly disclosed critical vulnerability today. Public repositories have no mechanism to alert you, block the update, or require human approval.

The answer isn't a better public mirror.
It's a private repository where every package is scanned, signed, approved and logged before it can reach any server in your infrastructure.
See how Repod works
Security Pipeline

7-step verification before every deployment

No package reaches production without passing every gate. The pipeline is automatic — humans only intervene at the review step.

01
Upload
Developer uploads .deb via REST API or UI
02
AV Scan
ClamAV runs a full malware scan on the binary
03
CVE Scan
Trivy checks for known vulnerabilities with CVSS scores
04
Review Queue
Security Officer reviews scan results in the CISO dashboard
05
GPG Sign
Package is signed with the repository GPG key
06
Index
APT metadata (Packages.gz, Release) is regenerated
07
Distribute
apt-get update pulls the verified, signed package
All pipeline steps are logged and exportable
Every scan result, every approval, every rejection — exported as JSON for your SIEM or compliance report.
Audit log reference →
Interface

Designed for security teams, not just developers

A clean, information-dense UI that gives your CISO real-time visibility without opening a terminal.

repod.acme.corp
Repod
Dashboard Packages Review Queue 3 CVE Scanner Audit Log Settings

Dashboard

Last updated 2 minutes ago

Total Packages
1 247
+12 today
Pending Review
3
Needs action
Critical CVEs
0
All clear
Distributions
6
focal · jammy · noble
PackageVersionDistributionStatusUploaded
nginx 1.27.3-1 focal Approved 2h ago
openssl 3.0.14-0 jammy Pending 3h ago
libssl-dev 3.0.14-0 jammy Scanning 3h ago
curl 8.7.1-1 noble Approved 5h ago
openssh-server 9.7p1-1 noble Rejected 1d ago
Comparison

How Repod stacks up

The only APT repository manager with security-first features built-in — no add-ons, no extra licences.

Feature Repod You Nexus OSS Artifactory CE Aptly Cloudsmith
APT repository
Web UI
Built-in CVE scanning
AV malware scan
CISO review queue
GPG auto-sign
Audit trail
NIS2 compliance mode
RBAC (5 roles)
Self-hosted / air-gap
Single container
Open source (Community)

Comparison based on publicly available documentation. Last reviewed May 2026.

NIS2 · SecNumCloud ready

Compliance out of the box

Repod maps directly to NIS2 Article 21 requirements. Every action is logged, every package is traceable, every approval is documented — so your audit is ready when the auditor arrives.

Art. 21(2)(a) Risk analysis & security policies
Covered by: Audit trail + RBAC
Art. 21(2)(b) Incident handling
Covered by: CVE alerts + review queue
Art. 21(2)(d) Supply chain security
Covered by: GPG signing + AV/CVE scan
Art. 21(2)(e) Acquisition & development security
Covered by: Dual-control approval workflow
Art. 21(2)(l) Cryptography & encryption
Covered by: GPG + TLS (reverse proxy)
Read the full NIS2 compliance matrix
SecNumCloud alignment
ANSSI qualification path

Architecture documented for SecNumCloud qualification reviews. Self-hosted deployment with no foreign cloud dependencies meets sovereignty requirements.

One-command audit export
JSON · CSV · Syslog compatible
GET /api/v1/audit?from=2026-01-01&format=json
ISO 27001 evidence-ready
Repod's audit trail covers controls A.12.5 (software installation) and A.12.6 (vulnerability management).
Open source · MIT licence

Start for free,
right now.

Enterprise-grade package security — available today on GitHub. No account required. No usage limits. No telemetry.

GPG signed
ClamAV scanned
CVE analyzed
NIS2 compliant
Immutable audit log
Air-gap ready
SBOM export
SHA-256 verified
Dual control
Zero telemetry
Self-hosted
MIT licence
GPG signed
ClamAV scanned
CVE analyzed
NIS2 compliant
Immutable audit log
Air-gap ready
SBOM export
SHA-256 verified
Dual control
Zero telemetry
Self-hosted
MIT licence
Deploy free on GitHub See Enterprise in action

Community Edition · MIT · Read the docs →

Pricing

Simple, transparent pricing

Start free with the open-source Community Edition. Upgrade when your team needs enterprise security controls.

Community
Free
MIT licence · self-hosted · no account required
  • APT repo hosting — jammy · noble · focal · bookworm
  • Package upload via REST API & drag-and-drop UI
  • Antivirus scan on every upload
  • GPG auto-signing — keys managed automatically
  • Full web dashboard
  • Local user management
  • Import from any external APT mirror
  • Health & service monitoring
  • MIT licence — self-host anywhere, no telemetry
Get started on GitHub
Enterprise Recommended
Contact us
Annual licence · unlimited packages
  • Everything in Community
  • Automated CVE analysis + CVSS scoring
  • CISO approval queue — dual-control workflow
  • Immutable audit trail — JSON & CSV export
  • RBAC — 5 roles + per-distribution control
  • LDAP / Active Directory integration
  • SBOM export — SPDX & CycloneDX
  • NIS2 Article 21 compliance mode
  • Email & webhook notifications
  • Priority support with SLA guarantee
  • Onboarding & migration session
Request a demo

No commitment · 30-day pilot available

Live demos available now

See Repod in action

Get a personalised 30-minute walkthrough with a live Repod instance. We'll show you the security pipeline, the CISO dashboard, and how to deploy in your environment.

Request your demo

Send demo request

Or email us directly at contact@getautoflow.dev