Build from source.
Trust the result.

A universal package registry that builds from source in a sandbox, scans for vulnerabilities, generates SBOMs, and signs with Sigstore — before anything is published.

terminal

$ stout submit https://github.com/myorg/mylib

Cloning repository...

Building in sandbox...

Scanning for vulnerabilities... 0 found

Generating SBOM (CycloneDX)...

Signing with Sigstore (keyless)...

Published myorg/mylib@1.2.0 to npm, Go, Helm, OCI

Everything you need to ship with confidence

A complete validation pipeline between your source code and your published packages.

🤖

AI Agent Registry New

Native support for AI skills, MCP servers, and agent bundles — with guardrail scanning and permission tiers built in.

📦

Universal Packages

Seven formats in one server — Go, npm, Helm, Docker, Ruby, Python, and Agent. Your existing tools just work.

🔒

Supply Chain Security

Source-only builds, dual vulnerability scanning, Sigstore signing, SBOMs, and reproducible build verification.

👥

Community & Trust

Reputation-weighted reviews with 3-dimensional scoring, identity verification, and configurable review policies.

⚖️

License Compliance

Automatic SPDX license detection across dependencies with configurable deny, warn, and allow policies.

🛠️

Developer Experience

A dedicated CLI, scoped API tokens, organizations, OAuth login, and full audit logging.

Explore all features →

How it works

01

Submit

Point Stout at any Git repository URL. Supports Go, npm, Helm, and container images.

02

Build & Validate

We clone and build in a sandbox, then run vulnerability scanning, license checks, and SBOM generation.

03

Publish

Signed with Sigstore and published to the registry. Every artifact is verified and traceable.