Why Repod?

The problem with "just use a repo server"

Most teams discover the hard way that a bare APT repository is not a security control — it's a file server. You can tell exactly what is in there, but you cannot answer the questions your CISO or an NIS2 auditor will ask:

• Who authorized this package to enter the infrastructure?
• When was the CVE in that library accepted — and why?
• Which packages contain Log4Shell-like vulnerabilities right now?
• What software components are running on your production machines?

Generic solutions (Nexus, Aptly, a plain Nginx folder) answer none of these questions out of the box.

---

The Repod approach

Repod was designed around a single idea: every package must be justified.

Every .deb that enters Repod passes through a 7-step automated pipeline before it can be served to clients. If a critical CVE is found, the package doesn't get quietly published with a yellow warning — it enters a CISO review queue where a human with context and authority makes the call, writes a justification, and the decision is permanently logged.

Upload received
     │
     ▼
[1] Format validation (dpkg-deb)        reject if malformed
     ▼
[2] SHA-256 provenance check            reject if tampered
     ▼
[3] ClamAV antivirus scan               quarantine if infected
     ▼
[4] Grype CVE analysis                  block / review / warn
     ▼
[5] GPG signature verification          warn if unsigned
     ▼
[6] Dependency resolution               warn if missing deps
     ▼
[7] EPSS + CISA KEV enrichment          context for CISO decision
     ▼
Published — or waiting for CISO approval

---

Core principles

• Security by default, not by configuration

  The pipeline runs on every upload. There is no way to bypass it without modifying source code. ClamAV, Grype, and GPG are not optional plugins — they are part of the core.

• Full visibility, always

  18 event types logged to append-only JSONL files. Every login, upload, CVE decision, configuration change, and token creation is recorded with timestamp, user, role, and source IP.

• Separation of duties

  CI/CD pipelines get the uploader role — they can push packages but not approve CVEs. Your CISO gets auditor — read access to queues and logs, no write access. Nobody gets more than they need.

• Yours, completely

  Self-hosted, air-gap compatible, no telemetry, no vendor lock-in. The data never leaves your infrastructure. Run it on a VM, a bare-metal server, or a Kubernetes cluster.

---

Who it's for

Audience	Pain point Repod solves
DevOps / Platform teams	Replace ad-hoc scp + dpkg -i workflows with a governed, auditable repository that integrates with any CI/CD tool
CISO / Security teams	Get a review queue for CVE-flagged packages, SBOM for every artifact, and an immutable audit trail for auditors
Regulated industries (banking, healthcare, defense, public sector)	Meet NIS2 article 21 supply-chain requirements and ANSSI SecNumCloud guidelines without cloud dependencies
Platform engineers building internal developer platforms	Provide a self-service package publishing workflow with built-in governance

---

What sets Repod apart

The CISO review queue

No other open-source APT repository manager has a dedicated security review workflow. When Grype detects a Critical or High CVE (based on your policy), the package doesn't just get flagged — it is held in quarantine, a notification goes to the security team, and publication is blocked until a human makes an explicit decision with a written justification.

That justification becomes part of the permanent audit record. If you're audited 18 months later, you can prove that yes, you knew about CVE-2024-XXXX, you accepted it on a specific date, for a specific reason, reviewed by a specific person.

EPSS + CISA KEV context

A CVSS score tells you severity. EPSS tells you the probability of exploitation in the next 30 days. CISA KEV tells you if it's actively being exploited right now. Repod surfaces all three for every CVE — giving your CISO the context to make informed decisions rather than guessing from a number.

SBOM as a first-class feature

Every package has a Software Bill of Materials. Export the full repository SBOM in CycloneDX 1.5 or SPDX 2.3 with one API call. This is not a bolt-on — SBOM generation is part of the ingestion pipeline.

"Most APT repos tell you what is there. Repod tells you who put it there, why it was approved, and what vulnerabilities were consciously accepted."

---

Ready to try it?

Get started in 5 minutes → See how Repod compares →