Repod — Enterprise APT Repository Manager¶

Your private APT repository, secured by design.¶

Ship Debian packages to your infrastructure with a full security pipeline — antivirus scanning, CVE analysis, GPG signing, SBOM generation, and an immutable audit trail. NIS2 and SecNumCloud ready.

Get started in 5 minutes Why Repod?

What Repod does¶

Security pipeline, built-in

Every package goes through 7 automated checks: format validation, SHA-256 provenance, ClamAV antivirus, Grype CVE scan, GPG signature, dependency resolution, and EPSS + CISA KEV enrichment. No package reaches production without passing.
Role-based access control

Five roles — reader, uploader, maintainer, auditor, admin — with a surgical permission matrix. Your CI/CD pipelines get uploader, your CISO gets auditor. No over-provisioning.
SBOM & compliance

Generate Software Bills of Materials in CycloneDX 1.5 and SPDX 2.3 for every package or your entire repository. NIS2 article 21, ANSSI SecNumCloud, and GDPR alignment built-in.
Immutable audit trail

Every action — upload, delete, CVE decision, login, config change — is logged to append-only JSONL files. 18 event types. SIEM-ready export. Nothing is ever rewritten.
CISO review queue

Critical CVEs don't just block — they enter a review queue. Your CISO sees CVSS score, EPSS probability, and CISA KEV status before approving or rejecting. Every decision is justified and logged.
GPG signing, zero Docker socket

Packages are signed with your GPG key. The signing infrastructure shares a volume — no Docker socket exposed to the backend. No privilege escalation vector.

Up and running in 60 seconds¶

git clone https://github.com/your-org/repod && cd repod
cp backend.env.example backend.env
# Edit backend.env: set JWT_SECRET_KEY and ADMIN_PASSWORD_HASH
docker compose up -d

Open http://localhost:3003 → sign in as admin.

Full installation guide →

Who uses Repod¶

DevOps teams

Replace ad-hoc dpkg -i workflows with a governed, auditable repository. Integrate with GitLab CI, GitHub Actions, or any HTTP client.
Security teams (CISO/RSSI)

Get visibility into every package entering your infrastructure. Review CVEs before they reach production. Export SBOM for compliance audits.
Regulated industries

Banks, healthcare, defense contractors, and public sector organizations use Repod to meet NIS2 supply-chain security requirements without cloud dependencies.

Repod vs. the alternatives¶

	Repod	Nexus OSS	Artifactory CE	Cloudsmith
APT repository	✅	✅	✅	✅
Built-in CVE scanning	✅	❌	❌	✅ (paid)
CISO review queue	✅	❌	❌	❌
SBOM (CycloneDX + SPDX)	✅	❌	❌	✅ (paid)
Immutable audit trail	✅	Partial	Partial	✅
NIS2 compliance page	✅	❌	❌	❌
Air-gap / on-premise	✅	✅	✅	❌
Open source	✅	✅	❌	❌
Self-hosted, no telemetry	✅	✅	✅	❌

Full comparison →

Documentation¶

Getting Started

Up and running in 5 minutes.
Tutorials

Step-by-step guides for common tasks.
How-to Guides

Solutions to specific problems.
API Reference

All 60+ endpoints with examples.
NIS2 / SecNumCloud

Compliance checklist and evidence.
Security dossier

Full CISO security briefing.