Skip to main content
Software supply chain security

A supply chain you can prove, all the way down

Nix's reproducibility model makes provenance a property of every build rather than a report assembled after the fact. Determinate turns that guarantee into a complete supply chain platform: sandboxed builds, curated and CVE-remediated packages, SBOMs generated straight from your flakes, and signed, provenance-preserving distribution.

Secure Packages: SLA-backed CVE remediation for your packages

SLA-backed CVE remediation for your packages

Determinate Secure Packages is a curated Nixpkgs with critical CVEs patched within a contractual 7-day SLA, backed by a team of experts.
Secure Packages
How it works: Reproducible, sandboxed builds

Reproducible, sandboxed builds

Every input is declared and every build runs sandboxed with no network or ambient state, so a build's full dependency closure is introspectable by construction.
How it works
FlakeBOM: SBOMs from any flake

SBOMs from any flake

FlakeBOM generates spec-compliant CycloneDX SBOMs straight from your flakes, fast enough to run on every build instead of just for the audit.
FlakeBOM
About VEX: Built-in VEX support

Built-in VEX support

FlakeBOM includes Vulnerability Exploitability eXchange data for manually mitigated CVEs and merges your own VEX metadata into the SBOM in a single step.
About VEX (opens in a new tab)
Read more: Nixpkgs cooldowns

Nixpkgs cooldowns

Delay the adoption of brand-new package versions so a compromised upstream release has to clear a waiting period before it can reach your builds.
Read more
FedRAMP: FedRAMP High Authorization

FedRAMP High Authorization

FlakeHub enables federal agencies and the partners that build for them to get reproducible, provenance-preserving Nix artifacts inside the FedRAMP boundary.
FedRAMP
FlakeHub: Signed, provenance-preserving distribution

Signed, provenance-preserving distribution

FlakeHub Cache distributes artifacts with their provenance intact, so every cached path traces back to the exact derivation and signer that produced it.
FlakeHub
Read more: Verifiable build provenance

Verifiable build provenance

Determinate Nix records signed provenance for store paths, so the nix provenance command can show exactly where, when, and on which machine an artifact was built.
Read more
Trust Center: Compliance-ready infrastructure

Compliance-ready infrastructure

Every Secure Packages build runs on SOC-2-Type-II-certified infrastructure, with FIPS-compliant variants available for strict federal requirements.
Trust Center (opens in a new tab)

Ship with a supply chain you can prove

Determinate Secure Packages brings curated, CVE-remediated packages, cryptographic signing, and SBOM generation together on audited infrastructure, so the provenance questions from customers, auditors, and regulators already have an answer.

  • Critical CVEs patched within a contractual 7-day SLA
  • CycloneDX SBOMs generated straight from your flakes
  • Cryptographic signing and full cache coverage end to end
  • SOC 2 Type II infrastructure with FIPS-compliant variants
The platform

The Determinate supply chain stack

Determinate Nix, Determinate Secure Packages, and FlakeHub work together to make provenance, curated packages, and signed distribution a property of your build pipeline rather than an afterthought.

  • Derivations, sandboxing, and closures: the Nix supply chain

    Derivations, sandboxing, and closures: the Nix supply chain

    The deep dive on how sandboxed builds and content-addressed closures make provenance a property of the build itself.

  • Introducing FlakeBOM

    Introducing FlakeBOM

    How FlakeBOM generates CycloneDX SBOMs from any Nix flake, with comprehensive metadata and vendored-dependency detection.

  • A secure Nixpkgs for the enterprise

    A secure Nixpkgs for the enterprise

    An update on Determinate Secure Packages: curated packages, CVE remediation, and SBOMs for regulated teams.

  • Nixpkgs cooldowns

    Nixpkgs cooldowns

    Reduce supply chain risk by waiting out brand-new package versions before they reach your builds.

  • Provenance and SBOMs webinar

    Provenance and SBOMs webinar (opens in a new tab)

    How verifiable build provenance and granular SBOMs turn reproducibility into real supply chain assurance.

  • FlakeBOM webinar

    FlakeBOM webinar (opens in a new tab)

    Reimagining supply chain security with FlakeBOM and Determinate Secure Packages.

  • Sneak peek: Determinate Secure Packages

    Sneak peek: Determinate Secure Packages (opens in a new tab)

    An introduction to Determinate Secure Packages, from CVE monitoring and patching to CycloneDX SBOM generation.

  • FlakeBOM

    FlakeBOM

    The CLI for generating spec-compliant SBOMs from any Nix flake, built to complement Determinate Secure Packages.

Explore more solutions