A supply chain you can prove, all the way down
Nix's reproducibility model makes provenance a property of every build rather than a report assembled after the fact. Determinate turns that guarantee into a complete supply chain platform: sandboxed builds, curated and CVE-remediated packages, SBOMs generated straight from your flakes, and signed, provenance-preserving distribution.
SLA-backed CVE remediation for your packages
Determinate Secure Packages is a curated Nixpkgs with critical CVEs patched within a contractual 7-day SLA, backed by a team of experts.Reproducible, sandboxed builds
Every input is declared and every build runs sandboxed with no network or ambient state, so a build's full dependency closure is introspectable by construction.SBOMs from any flake
FlakeBOM generates spec-compliant CycloneDX SBOMs straight from your flakes, fast enough to run on every build instead of just for the audit.Built-in VEX support
FlakeBOM includes Vulnerability Exploitability eXchange data for manually mitigated CVEs and merges your own VEX metadata into the SBOM in a single step.Nixpkgs cooldowns
Delay the adoption of brand-new package versions so a compromised upstream release has to clear a waiting period before it can reach your builds.FedRAMP High Authorization
FlakeHub enables federal agencies and the partners that build for them to get reproducible, provenance-preserving Nix artifacts inside the FedRAMP boundary.Signed, provenance-preserving distribution
FlakeHub Cache distributes artifacts with their provenance intact, so every cached path traces back to the exact derivation and signer that produced it.Verifiable build provenance
Determinate Nix records signed provenance for store paths, so thenix provenance command can show exactly where, when, and on which machine an artifact was built.Compliance-ready infrastructure
Every Secure Packages build runs on SOC-2-Type-II-certified infrastructure, with FIPS-compliant variants available for strict federal requirements.Ship with a supply chain you can prove
Determinate Secure Packages brings curated, CVE-remediated packages, cryptographic signing, and SBOM generation together on audited infrastructure, so the provenance questions from customers, auditors, and regulators already have an answer.
- Critical CVEs patched within a contractual 7-day SLA
- CycloneDX SBOMs generated straight from your flakes
- Cryptographic signing and full cache coverage end to end
- SOC 2 Type II infrastructure with FIPS-compliant variants
The Determinate supply chain stack
Determinate Nix, Determinate Secure Packages, and FlakeHub work together to make provenance, curated packages, and signed distribution a property of your build pipeline rather than an afterthought.
- Learn more about Determinate Nix
Determinate Nix
The secure, stable, validated distribution of Nix.
Learn more - Learn more about FlakeHub
FlakeHub
Privately cache Nix artifacts and share flakes.
Learn more - Learn more about Determinate Secure Packages
Determinate Secure Packages
Secure, signed, auditable Nix packages you can trust.
Learn more
- Derivations, sandboxing, and closures: the Nix supply chain
Derivations, sandboxing, and closures: the Nix supply chain
The deep dive on how sandboxed builds and content-addressed closures make provenance a property of the build itself.
- Introducing FlakeBOM
Introducing FlakeBOM
How FlakeBOM generates CycloneDX SBOMs from any Nix flake, with comprehensive metadata and vendored-dependency detection.
- A secure Nixpkgs for the enterprise
A secure Nixpkgs for the enterprise
An update on Determinate Secure Packages: curated packages, CVE remediation, and SBOMs for regulated teams.
- Nixpkgs cooldowns
Nixpkgs cooldowns
Reduce supply chain risk by waiting out brand-new package versions before they reach your builds.
- Provenance and SBOMs webinar
Provenance and SBOMs webinar (opens in a new tab)
How verifiable build provenance and granular SBOMs turn reproducibility into real supply chain assurance.
- FlakeBOM webinar
FlakeBOM webinar (opens in a new tab)
Reimagining supply chain security with FlakeBOM and Determinate Secure Packages.
- Sneak peek: Determinate Secure Packages
Sneak peek: Determinate Secure Packages (opens in a new tab)
An introduction to Determinate Secure Packages, from CVE monitoring and patching to CycloneDX SBOM generation.
- FlakeBOM
FlakeBOM
The CLI for generating spec-compliant SBOMs from any Nix flake, built to complement Determinate Secure Packages.
Explore more solutions
- Learn more about Binary caching
Binary caching
Never build the same thing twice.
- Learn more about FedRAMP
FedRAMP
FlakeHub has FedRAMP High Authorization, bringing Nix to federal agencies and their partners.
- Learn more about Federated authentication for Nix
Federated authentication for Nix
No static credentials, no rotation schedules.
- Learn more about Nix for enterprise
Nix for enterprise
The power of Nix scaled to organizations of any size and complexity.
- Learn more about Nix at scale
Nix at scale
Keep Nix fast as your monorepo, CI, and fleet grow.
- Learn more about Nix for macOS
Nix for macOS
The easy button for Nix on macOS.
- Learn more about Nix for Linux
Nix for Linux
Business-class Nix for every Linux distribution.
- Learn more about Nix-based deployments
Nix-based deployments
Deploy Nix configs without building or evaluating on the target.
- Learn more about Nix for CI/CD
Nix for CI/CD
Faster, more reproducible pipelines with Nix.
- Learn more about Nix with MDM
Nix with MDM
Zero-touch Nix deployment through your MDM.