Automated vulnerability scanning detects CVEs across your dependencies, with proactive patching delivered on SLA-backed timelines. Each release includes transparent reports showing what changed and what was fixed.
Determinate Secure Packages
Secure, signed, auditable Nix packages that you can trust
Determinate Secure Packages builds on Nixpkgs—the world's largest package repository with over 100,000
packages—and adds the enterprise-grade security, compliance
controls, and managed vulnerability remediation demanded by production
systems in critical industries.
Managed vulnerability remediation with transparent, actionable reporting
❤️🩹
Continuous CVE monitoring and patching
📊
Actionable security reports
Get clear visibility into your security posture with detailed change logs and CVE analysis for every release. Detailed reports empower your team to make informed decisions and provide auditors with the paper trail they need to guarantee compliance.
📟
Managed security as a service
Determinate Systems' dedicated Nix security specialists handle all of this for you. Offload the burden from your internal teams to a third party that you can rely on when stakes are high.
Give your security and compliance teams the visibility and control they need while keeping your developers productive. Every package is cryptographically signed, continuously scanned for vulnerabilities, and built on dedicated, ephemeral build infrastructure for maximum safety and improved supply chain security with transparent reporting about what changed and what was fixed in a specific release.
Stay laser-focused on what makes your product stand out while our dedicated security team handles the patching, triage, and compliance work.
Compliance and cryptography
🎯
Curated package subset
A hand-picked collection of infrastructure-focused packages from Nixpkgs' 100,000+ options, pre-vetted and built on secure infrastructure, with additional coverage available on demand.
🔐
Cryptographically signed packages
Every package is built on and distributed from SOC2-Type-II-compliant infrastructure, complete with cryptographic signatures for provenance. This ensures that your security team can verify the integrity and origin of every component in your software supply chain.
🏛️
FIPS-compliant builds
You have the option of a FIPS-140-2-compliant variant of Nixpkgs geared towards organizations with strict federal regulatory requirements. Meet exacting compliance mandates without sacrificing the benefits of Nix's strong reproducibility guarantees.
Drop-in secure
Determinate Secure Packages is built for minimal disturbance to your existing workflows. Make a one-line change in your flakes to take full advantage.
{ inputs.nixpkgs.url = "github:NixOS/nixpkgs"; inputs.nixpkgs.url = "https://flakehub.com/f/DeterminateSystems/secure/0";}