Nothing reaches your servers unverified
RepoD secures your Linux software supply chain end to end. Built-in CVE scanning, antivirus validation, CISO approval workflow and NIS2 compliance — for every DEB, RPM and APK package, before it reaches production.
From upload
to production
Every package passes through a 6-step automated pipeline before it reaches your repository. Your security team only intervenes at the CISO review step — everything else runs on its own.
Each detected CVE is enriched in real time with EPSS exploit probability, CISA KEV status and NVD severity, so your team prioritizes real threats — not noise.
Every action — upload, scan result, approval, rejection — feeds an immutable audit trail built for NIS2 Article 21, ISO 27001 and SBOM export.
Three gaps in your
Linux security
You have vulnerability scanners, repository managers and patch tools — but no single platform that validates packages before they reach your servers.
Vulnerability scanners detect, but don't protect the supply
Qualys and Tenable detect vulnerabilities on your servers. But they can't control what packages get installed in the first place. If a compromised or unvetted package reaches production, scanning happens too late — the supply chain was already breached.
RepoD scans every package for CVEs, malware and known exploits before it enters your repository — not after it's installed.
Repository managers store packages, but don't secure them
Nexus and Artifactory store packages, but they don't scan them for CVEs, don't run antivirus, don't require CISO approval before distribution. Security is always a bolt-on — a separate product, a separate licence, a separate workflow.
RepoD combines hosting, CVE scanning, antivirus, GPG signing and CISO approval in a single pipeline — no add-ons needed.
Patch tools deploy updates, but don't validate the source
Rudder and Ansible push updates to your fleet. But who validated those packages before they were distributed? Who signed them? Who approved the CVE exceptions? Without a validated supply chain, patch management is distributing trust you never verified.
RepoD closes the loop — validate, approve, sign, then distribute. Your fleet only receives packages that passed your security policy.
Build and patch
containers from
verified packages
Point your Dockerfiles at RepoD instead of public repositories. Every apt install, dnf install and apk add inside your builds pulls only packages that passed your 6-step security pipeline.
Patch existing images by rebuilding with updated, scanned packages — no more pulling unverified binaries from the internet at build time. Your CI pushes the package, RepoD validates it, your image build pulls it. Shift-left, closed loop.
Fits into your existing stack
Repod exposes a full REST API. Every pipeline, tool, and platform that can make an HTTP call can integrate with it.
Upload packages on release via the REST API. SARIF results post directly to GitHub Code Scanning.
Publish .deb and .rpm artefacts to Repod from your pipeline with a single curl call.
Use the Repod REST API in a post-build step to push packages and gate on CVE scan results.
Point apt/dnf at your Repod endpoint. All nodes consume only GPG-verified, CVE-cleared packages.
Provision Repod alongside your infrastructure. Bootstrap distributions and upload base packages on first apply.
Configure base images to pull from Repod. Your containers only ever install scanned, approved packages.
Auto-create tickets on critical CVE detections. Bidirectional sync — closing a ticket in GLPI resolves the CVE decision in RepoD.
Push CVE findings as Jira issues with severity labels. Track remediation alongside your existing sprint workflow.
Create incidents and change requests from CVE scan results. Map RepoD severity levels to ServiceNow priority matrix.
Stream the immutable audit trail via webhook or JSON export into your SIEM for unified security monitoring.
Export CVE scan results as SARIF 2.1.0 and upload directly to GitHub Security tab — no extra tooling needed.
Webhook notifications on new critical CVEs let your VM platform (Tenable, Qualys, Wiz) stay in sync with your package inventory.
/api/docs on your Repod instance.
Built for CISOs. Loved by DevOps.
Real-time visibility on your supply chain — CVE posture, pending approvals, audit trail — without opening a terminal or buying a separate dashboard.
Dashboard
Last updated 2 minutes ago
| Package | Version | Distribution | Status | Uploaded |
|---|---|---|---|---|
| nginx | 1.27.3-1 | focal | Approved | 2h ago |
| openssl | 3.0.14-0 | jammy | Pending | 3h ago |
| libssl-dev | 3.0.14-0 | jammy | Scanning | 3h ago |
| curl | 8.7.1-1 | noble | Approved | 5h ago |
| openssh-server | 9.7p1-1 | noble | Rejected | 1d ago |
Why not just use Qualys, Rudder or Nexus?
Because each solves one piece. RepoD is the only platform that validates, hosts, deploys and audits Linux packages in a single pipeline — self-hosted or SaaS.
| Feature | RepoD You | Qualys VMDR | Rudder | Nexus OSS | Cloudsmith |
|---|---|---|---|---|---|
| CVE scanning on packages | |||||
| Antivirus / malware scan | |||||
| EPSS + CISA KEV enrichment | |||||
| CISO approval workflow | |||||
| GPG package signing | |||||
| SBOM export (SPDX / CycloneDX) | |||||
| DEB + RPM + APK hosting | |||||
| Package upload (API + UI) | |||||
| Mirror upstream repositories | |||||
| Fleet inventory (SSH scan) | |||||
| Remote patch deployment | |||||
| CIS compliance checks | |||||
| NIS2 compliance mode | |||||
| Immutable audit trail | |||||
| Self-hosted / air-gap | |||||
| SaaS option | |||||
| Open source Community tier |
Comparison based on publicly available documentation. Last reviewed May 2026.
Compliance out of the box
RepoD maps directly to NIS2 Article 21 requirements. Every action is logged, every package is traceable, every approval is documented — so your audit is ready when the auditor arrives.
Architecture documented for SecNumCloud qualification reviews. Self-hosted deployment with no foreign cloud dependencies meets sovereignty requirements. Audit trail covers ISO 27001 controls A.12.5 and A.12.6.
Read the full NIS2 compliance matrix
RepoD Community
is here.
RepoD Community natively manages DEB, RPM and APK in a single self-hosted instance, under the AGPL-3.0 license. Clone the repo, spin it up with Docker Compose — no account required, no telemetry.
Community Edition · AGPL-3.0 + commercial · Read the docs →
Simple, transparent pricing
Start free with the open-source Community Edition — DEB, RPM and APK in one instance. Enterprise plans are sized by the number of client machines (nodes) in your inventory and unlock fleet management, SSO and advanced security controls.
- DEB, RPM and APK hosting — in a single instance
- Package upload via REST API & drag-and-drop UI
- Antivirus scan on every upload (blocking)
- GPG auto-signing — Release/repomd/APKINDEX signed automatically
- CVE vulnerability scan — informational, never blocking
- Email support
- Fleet inventory & SSH scanning with CVE analysis
- Remote package deployment (SSH, dry-run + confirm)
- SBOM export — SPDX & CycloneDX
- Everything in Starter
- LDAP / Active Directory + OIDC SSO + TOTP MFA
- API tokens for CI/CD pipelines
- Advanced CVE policy + SLA alerts
- Everything in Business
- Scheduled mirroring of upstream repositories
- High availability (multi-replica, shared storage)
- Dedicated onboarding & roadmap input
- Everything in Community
- Fleet inventory & SSH scanning with automated CVE analysis
- Remote package deployment over SSH (dry-run + confirm)
- SBOM export — SPDX & CycloneDX
- Automated PostgreSQL + repository backups
- LDAP / Active Directory + OIDC SSO + TOTP MFA
- API tokens for CI/CD pipelines
- Advanced CVE policy (block/review/warn) + SLA alerts
- Email & webhook notifications (Slack/Teams/Mattermost)
- Scheduled mirroring & high-availability (multi-replica)
No commitment · 30-day pilot available on all Enterprise plans
See RepoD in action
Get a personalised 30-minute walkthrough — the security pipeline, fleet inventory, CVE remediation workflow and NIS2 compliance dashboard. Or start free instantly — no credit card, no call.