Build from source.
Trust the result.
A universal package registry that builds from source in a sandbox, scans for vulnerabilities, generates SBOMs, and signs with Sigstore — before anything is published.
You're on the list! We'll be in touch.
$
Cloning repository...
Building in sandbox...
Scanning for vulnerabilities... 0 found
Generating SBOM (CycloneDX)...
Signing with Sigstore (keyless)...
Published myorg/mylib@1.2.0 (15 formats supported)
Everything you need to ship with confidence
A complete validation pipeline between your source code and your published packages.
Pull-Through Proxy New
Proxy upstream registries like npm, PyPI, and Docker Hub. Packages are scanned on first pull and gated by your policies before reaching developers.
AI Agent Registry New
Native support for AI skills, MCP servers, and agent bundles — with guardrail scanning and permission tiers built in.
Universal Packages
Fifteen formats in one server — Go, npm, Helm, Docker, Ruby, Python, Terraform, Rust, Maven, NuGet, Swift, PHP, Dart, and Agent. Your existing tools just work.
Supply Chain Security
Source-based builds, dual vulnerability scanning, Sigstore signing, SBOMs, and reproducible build verification.
AI Agent Reviews New
Automated AI-powered package reviews that score security, quality, and compliance. Subscribe to shared review agents or bring your own.
Community & Trust
Reputation-weighted reviews with 3-dimensional scoring, identity verification, and configurable review policies.
License Compliance
Automatic SPDX license detection across dependencies with configurable deny, warn, and allow policies.
Developer Experience
A dedicated CLI, scoped API tokens, organizations, OAuth login, and full audit logging.
How it works
Two ways to use Stout — publish from source or proxy upstream registries.
Publish from source
Submit
Point Stout at any Git repository URL. Supports all 15 package formats.
Build & Validate
We clone and build in a sandbox, then run vulnerability scanning, license checks, and SBOM generation.
Publish
Signed with Sigstore and published to the registry. Every artifact is verified and traceable.
Pull-through proxy
Configure
Point your package manager at Stout. Set upstream registries like npm, PyPI, or Docker Hub.
Pull & Scan
First pull fetches from upstream, scans for vulnerabilities, checks license compliance, and generates an SBOM.
Gate & Cache
Packages that pass your policies are cached and served. Failures are blocked before they reach developers.