Secure Package Gateway · for AWS CodeArtifact
Approved packages only. In your AWS account.
Package Shield is a security gate for pip install and bundle install. Cross-account onboarding in minutes, a 5-scanner audit on every package, full approval workflow — all on top of your existing AWS account.
No credit card. 5 minutes to first gated pip install.
$ pip install requests==2.32.4 \
--index-url https://aws:****@org.codeartifact.
eu-central-1.amazonaws.com/pypi/python-approved/simple/
Collecting requests==2.32.4
Downloading requests-2.32.4-py3-none-any.whl (62 kB)
Installing collected packages: requests
Successfully installed requests-2.32.4
Trusted by teams shipping Python & Ruby
- ACME
- Initech
- Globex
- Hooli
Why Package Shield
A control plane for your dependency supply chain.
Three responsibilities, one system. Sit between public registries and your developers without owning their packages or their AWS account.
How it works
From sign-up to pip install in 5 minutes.
- 1
Connect AWS (90s)
Drop a CFN stack into your AWS account. We get a cross-account role with ExternalId.
- 2
Provision repos (1 click)
Package Shield creates CodeArtifact quarantine + approved repos per ecosystem.
- 3
Request packages
Devs request requests==2.32.4 from the dashboard or CLI. 5 scanners run in parallel.
- 4
pip install from approved
Reviewers approve; the package promotes to the approved repo. Devs install via the gated index-url.
What we scan for
Five scanners. One audit trail.
Every request runs through this scanner stack before any reviewer sees it. Findings are stored alongside the package version forever.
Workflow demo
Reviewers see everything before clicking Approve.
Below is the package version detail page exactly as a reviewer sees it. Every scanner finding is logged; every decision is traceable.
Scan results
- pip-auditNo known CVEs
- GuardDogNo suspicious install hooks
- gitleaksNo secrets found
- license-checkApache-2.0 (allow-listed)
- OpenSSF Scorecard1 finding — maintenance score 6.2
AI security report
Maintainer activity is healthy (last release 14 days ago, 4 active contributors). No suspicious imports. One Scorecard finding flags missing branch protection on main; recommend manual approval.
Security & compliance
Why your security team will sign off.
We minimize blast radius by design. Packages live in your account; we hold metadata. Every action is logged.
No long-lived AWS credentials in our SaaS.
Cross-account AssumeRole with ExternalId. The role’s permissions are scoped to CodeArtifact operations only.
Your packages live in your AWS account.
We hold metadata (name, version, scan results). We never store the package binaries after promotion.
Append-only audit log per RBAC role.
Owner, Admin, Security Reviewer, Developer, Auditor — every action is logged with actor + target + metadata.
SOC 2Roadmap
Audit in progress.
KMS encryption at rest, TLS 1.3 in transit.
Staging bucket and database both use KMS-managed keys. Inbound traffic terminates at TLS 1.3.
Pricing
Pricing for engineering teams, not enterprises only.
Every plan ships AWS + GCP support and all seven scanners. Higher tiers raise the limits and unlock collaboration features.
Starter
For solo founders + small teams getting started.
- 5 seats
- 2 cloud accounts (AWS + GCP)
- 250 / mo package requests
Pro
For growing teams who need collaboration + automation.
- Unlimited seats
- 10 cloud accounts (AWS + GCP)
- 5000 / mo package requests
- Webhooks + Slack / Teams
- Custom policy DSL
- Priority email (4h)
Enterprise
SSO, on-prem, dedicated CSM, custom SLAs.
- Unlimited seats
- Unlimited cloud accounts (AWS + GCP)
- Unlimited / mo package requests
- Webhooks + Slack / Teams
- Custom policy DSL
- Dedicated CSM + 99.9% SLA
Prices in EUR, VAT not included. Annual billing saves 20% — compare every feature →
FAQ
Common questions.
Stop letting random PyPI authors deploy to your prod.
Start your free trial. No credit card. 5 minutes to first gated pip install.
