Build from source.
Trust the result.

A universal package registry that builds from source in a sandbox, scans for vulnerabilities, generates SBOMs, and signs with Sigstore — before anything is published.

terminal

$ stout submit https://github.com/myorg/mylib

Cloning repository...

Building in sandbox...

Scanning for vulnerabilities... 0 found

Generating SBOM (CycloneDX)...

Signing with Sigstore (keyless)...

Published myorg/mylib@1.2.0 (15 formats supported)

Everything you need to ship with confidence

A complete validation pipeline between your source code and your published packages.

🔀

Pull-Through Proxy New

Proxy upstream registries like npm, PyPI, and Docker Hub. Packages are scanned on first pull and gated by your policies before reaching developers.

🤖

AI Agent Registry New

Native support for AI skills, MCP servers, and agent bundles — with guardrail scanning and permission tiers built in.

📦

Universal Packages

Fifteen formats in one server — Go, npm, Helm, Docker, Ruby, Python, Terraform, Rust, Maven, NuGet, Swift, PHP, Dart, and Agent. Your existing tools just work.

🔒

Supply Chain Security

Source-based builds, dual vulnerability scanning, Sigstore signing, SBOMs, and reproducible build verification.

🧠

AI Agent Reviews New

Automated AI-powered package reviews that score security, quality, and compliance. Subscribe to shared review agents or bring your own.

👥

Community & Trust

Reputation-weighted reviews with 3-dimensional scoring, identity verification, and configurable review policies.

⚖️

License Compliance

Automatic SPDX license detection across dependencies with configurable deny, warn, and allow policies.

🛠️

Developer Experience

A dedicated CLI, scoped API tokens, organizations, OAuth login, and full audit logging.

Explore all features →

How it works

Two ways to use Stout — publish from source or proxy upstream registries.

Publish from source

01

Submit

Point Stout at any Git repository URL. Supports all 15 package formats.

02

Build & Validate

We clone and build in a sandbox, then run vulnerability scanning, license checks, and SBOM generation.

03

Publish

Signed with Sigstore and published to the registry. Every artifact is verified and traceable.

or

Pull-through proxy

01

Configure

Point your package manager at Stout. Set upstream registries like npm, PyPI, or Docker Hub.

02

Pull & Scan

First pull fetches from upstream, scans for vulnerabilities, checks license compliance, and generates an SBOM.

03

Gate & Cache

Packages that pass your policies are cached and served. Failures are blocked before they reach developers.