Secure Package Gateway · for AWS CodeArtifact

Approved packages only. In your AWS account.

Package Shield is a security gate for pip install and bundle install. Cross-account onboarding in minutes, a 5-scanner audit on every package, full approval workflow — all on top of your existing AWS account.

No credit card. 5 minutes to first gated pip install.

dev@laptop ~/api
$ pip install requests==2.32.4 \
    --index-url https://aws:****@org.codeartifact.
               eu-central-1.amazonaws.com/pypi/python-approved/simple/

Collecting requests==2.32.4
  Downloading requests-2.32.4-py3-none-any.whl (62 kB)
Installing collected packages: requests
Successfully installed requests-2.32.4

Trusted by teams shipping Python & Ruby

  • ACME
  • Initech
  • Globex
  • Hooli

Why Package Shield

A control plane for your dependency supply chain.

Three responsibilities, one system. Sit between public registries and your developers without owning their packages or their AWS account.

Deploy in your AWS
Cross-account IAM role, ExternalId-protected. We never store long-lived credentials. CodeArtifact repos provisioned automatically per ecosystem and region.
Audit every package
Five scanners run in parallel on every request: pip-audit, bundler-audit, GuardDog, gitleaks, license-check. Risk score + AI-assisted summary.
Approve, then promote
Quarantine → review → approved. Developers install only from the approved repo. Full audit trail per RBAC role.

How it works

From sign-up to pip install in 5 minutes.

  1. 1

    Connect AWS (90s)

    Drop a CFN stack into your AWS account. We get a cross-account role with ExternalId.

  2. 2

    Provision repos (1 click)

    Package Shield creates CodeArtifact quarantine + approved repos per ecosystem.

  3. 3

    Request packages

    Devs request requests==2.32.4 from the dashboard or CLI. 5 scanners run in parallel.

  4. 4

    pip install from approved

    Reviewers approve; the package promotes to the approved repo. Devs install via the gated index-url.

What we scan for

Five scanners. One audit trail.

Every request runs through this scanner stack before any reviewer sees it. Findings are stored alongside the package version forever.

CVE — Python

Known vulnerabilities in PyPI deps

pip-audit

CVE — Ruby

Known vulnerabilities in RubyGems

bundler-audit

Malware heuristics

Suspicious install hooks, network calls, eval’d payloads

GuardDog

Secrets

API keys, tokens, private keys in package files

gitleaks

License compliance

Allow / block-list enforcement

Custom

Roadmap

Maintainer risk

OpenSSF Scorecard signals

OpenSSF

Roadmap

Typosquatting

Look-alike package names

Custom

Workflow demo

Reviewers see everything before clicking Approve.

Below is the package version detail page exactly as a reviewer sees it. Every scanner finding is logged; every decision is traceable.

Pending reviewpypi:[email protected]· risk 23 / 100

Scan results

  • pip-auditNo known CVEs
  • GuardDogNo suspicious install hooks
  • gitleaksNo secrets found
  • license-checkApache-2.0 (allow-listed)
  • OpenSSF Scorecard1 finding — maintenance score 6.2

AI security report

Generated 2 min ago

Maintainer activity is healthy (last release 14 days ago, 4 active contributors). No suspicious imports. One Scorecard finding flags missing branch protection on main; recommend manual approval.

Recommendation: Approve with note
Decision is logged to the audit trail with actor, target, and metadata.

Security & compliance

Why your security team will sign off.

We minimize blast radius by design. Packages live in your account; we hold metadata. Every action is logged.

  • No long-lived AWS credentials in our SaaS.

    Cross-account AssumeRole with ExternalId. The role’s permissions are scoped to CodeArtifact operations only.

  • Your packages live in your AWS account.

    We hold metadata (name, version, scan results). We never store the package binaries after promotion.

  • Append-only audit log per RBAC role.

    Owner, Admin, Security Reviewer, Developer, Auditor — every action is logged with actor + target + metadata.

  • SOC 2Roadmap

    Audit in progress.

  • KMS encryption at rest, TLS 1.3 in transit.

    Staging bucket and database both use KMS-managed keys. Inbound traffic terminates at TLS 1.3.

Pricing

Pricing for engineering teams, not enterprises only.

Every plan ships AWS + GCP support and all seven scanners. Higher tiers raise the limits and unlock collaboration features.

Starter

For solo founders + small teams getting started.

49/ month
  • 5 seats
  • 2 cloud accounts (AWS + GCP)
  • 250 / mo package requests
Start free trial
Most popular

Pro

For growing teams who need collaboration + automation.

99/ month
  • Unlimited seats
  • 10 cloud accounts (AWS + GCP)
  • 5000 / mo package requests
  • Webhooks + Slack / Teams
  • Custom policy DSL
  • Priority email (4h)
Start free trial

Enterprise

SSO, on-prem, dedicated CSM, custom SLAs.

Custom
  • Unlimited seats
  • Unlimited cloud accounts (AWS + GCP)
  • Unlimited / mo package requests
  • Webhooks + Slack / Teams
  • Custom policy DSL
  • Dedicated CSM + 99.9% SLA
Talk to sales

Prices in EUR, VAT not included. Annual billing saves 20% — compare every feature →

FAQ

Common questions.

Stop letting random PyPI authors deploy to your prod.

Start your free trial. No credit card. 5 minutes to first gated pip install.