Secure Packages Strategy
Recommendation: Yes strategically, but sequence after secure images
Secure packages (pip, npm, maven, etc.) are a strong natural extension of what we’re building. But they solve a different technical problem than image lifecycle management, and adding them too early would dilute MVP focus. Here’s the full analysis.
The Idea
Offer a curated package proxy/registry that sits between public registries (PyPI, npm, Maven Central) and customer environments. Core feature: quarantine new upstream releases for a configurable hold period before making them available.
Why quarantine works
Most malicious packages are discovered within 24-72 hours of publication. By delaying availability:
- Free tier: 48-hour hold on all new packages/versions. Simple, effective, zero-config.
- Enterprise: configurable per-team, per-project, per-package. Some teams need bleeding-edge; others want maximum safety. Policy-driven controls.
This is a genuinely differentiating approach. Most competitors scan packages reactively. We add a time-based defense layer on top of scanning — defense in depth.
How It Fits Our Strategy
The value chain
Secure Base Images (OS layer)
↓ built on top of
Secure Packages (dependency layer)
↓ consumed by
Customer Application Code
↓ managed by
CascadeGuard Platform (lifecycle orchestration)
We already secure the bottom of the stack (base images). Packages are the next layer up — they’re what’s inside the containers. A customer using our secure base images but pulling untrusted pip packages has a gap in their supply chain. Filling that gap makes the platform story complete.
Synergies with existing product
| Capability | Secure Images | Secure Packages | Shared? |
|---|---|---|---|
| Upstream monitoring | Image registries | Package registries | Same pattern, different sources |
| Vulnerability scanning | Grype/Trivy on images | OSV/Snyk DB on packages | Same pipeline concept |
| SBOM generation | Image-level SBOMs | Dependency-level SBOMs | Complementary — together = full chain |
| Rebuild/update triggers | Base image change → rebuild | Package update → rebuild image | Direct integration point |
| Dashboard/reporting | CVE status per image | CVE status per dependency | Unified view |
The key integration: when a package update passes quarantine and we detect it fixes a CVE, we can automatically trigger a rebuild of any secure image that includes that package. End-to-end automated patching.
Competitive Landscape
| Competitor | What They Do | Our Angle |
|---|---|---|
| Artifactory (JFrog) | Full artifact management platform | We don’t need to be a general artifact store. We focus on security policy, not artifact hosting at scale. |
| Nexus (Sonatype) | Repository manager + vulnerability DB | Sonatype has deep vuln data but is expensive and complex. We’re simpler and integrated with the image layer. |
| Socket.dev | Real-time package analysis | Good at detecting malicious packages. We’d complement with quarantine (time-based) + their kind of analysis. |
| Snyk | SCA scanning | Scans but doesn’t proxy or quarantine. Different layer. |
| Phylum | Package risk analysis | Similar to Socket. Focused on analysis, not registry operations. |
Our differentiation: Nobody connects package security to image lifecycle. Socket finds a bad package — but does it trigger a rebuild of every image that included it? We would. That’s the CascadeGuard platform value.
Technical Architecture (Lightweight)
We don’t need to build a full registry manager. We need a transparent caching proxy with policy enforcement.
Developer/CI → CascadeGuard Package Proxy → Upstream Registry (PyPI/npm/Maven Central)
↓
Policy Engine
- Quarantine period (configurable)
- Vulnerability scan gate
- Allowlist/denylist
- Version pinning rules
↓
CascadeGuard Platform
- Dependency graph updated
- Image rebuild triggers
- Dashboard/notifications
Key components
- Proxy layer — Transparent HTTP proxy for pip/npm/maven protocols. Caches packages locally. Applies quarantine holds.
- Policy engine — Rules per org/team/project. Default quarantine of 48h. Enterprise can override per-package.
- Scanner integration — Run OSV/advisory checks on packages during quarantine. If flagged, extend hold or block.
- Platform integration — Feed dependency data into the CascadeGuard dependency graph. Trigger image rebuilds when packages update.
What we’d need to support per ecosystem
| Ecosystem | Protocol | Complexity | Priority |
|---|---|---|---|
| pip (PyPI) | Simple HTTP + PEP 503 API | Low | High — Python is our core user base |
| npm | npm registry API (CouchDB-based) | Medium | High — massive ecosystem |
| Maven | HTTP + standard repo layout | Low | Medium — enterprise Java shops |
| Go modules | GOPROXY protocol | Low | Medium — growing fast |
| RubyGems | Simple HTTP API | Low | Lower priority |
| NuGet | HTTP API | Medium | Lower priority |
Start with pip + npm. They cover the majority of our target users and have the simplest proxy protocols.
Proposed Offering
Free Tier: CascadeGuard Package Shield
- Transparent proxy for pip and npm
- 48-hour quarantine on all new package versions
- Basic vulnerability scanning (OSV database)
- Dashboard showing quarantined/released/blocked packages
- Rate-limited (suitable for small teams)
Purpose: Lead generation. Same playbook as free base images — give away the basic security, upsell the management.
Paid Tier: Secure Package Subscriptions
- All ecosystems (pip, npm, maven, go, ruby, nuget)
- Configurable quarantine policies per team/project/package
- Advanced scanning (multiple advisory sources)
- Allowlists, denylist, version pinning policies
- Integration with CascadeGuard platform (dependency graph, rebuild triggers)
- Priority package analysis
Pricing: Include in existing platform tiers:
- Starter ($49/mo): pip + npm proxy, 48h fixed quarantine
- Business ($199/mo): All ecosystems, configurable policies, 50 custom rules
- Enterprise (custom): Unlimited rules, private proxy instances, SLA on quarantine analysis
Why bundle with platform pricing (not per-package)
Unlike images where per-image pricing makes sense (each image is a distinct deliverable), packages are consumed in bulk. Per-package pricing would be confusing and hard to predict. Better to include package proxy access in the existing platform tiers and use it to increase the value of each tier.
Risks and Mitigations
| Risk | Impact | Mitigation |
|---|---|---|
| Quarantine delays break developer workflows | High | Smart defaults: only quarantine NEW packages/versions, not existing ones. First install of a known-good version is instant. Clear override mechanism for urgent needs. |
| Proxy becomes availability SPOF | High | Cache aggressively. If proxy is down, fail-open to upstream (configurable). Enterprise gets HA deployment. |
| Ecosystem complexity (each registry is different) | Medium | Start with pip + npm only. Each additional ecosystem is a bounded effort. Don’t try to support everything at once. |
| Competing with well-funded incumbents (JFrog, Sonatype) | Medium | We don’t compete on artifact management. We compete on security policy + image lifecycle integration. Different buyer. |
| Engineering distraction from core MVP | High | Sequence this after secure images are shipped. Phase 2/Beta timeline at earliest. |
Execution Timing
Do NOT build this during MVP (Months 1-3). The MVP must focus on core platform: API, auth, billing, image analysis.
Phase 2 (Months 4-6, Beta timeline):
- Build pip proxy with quarantine
- Build npm proxy with quarantine
- Integrate with platform dependency graph
- Ship as part of Starter/Business tiers
Phase 3 (Months 7-9, GA timeline):
- Add Maven, Go modules
- Enterprise features: private proxy instances, custom policies
- Advanced scanning partnerships (Socket.dev integration?)
This runs parallel to our existing roadmap without stealing MVP resources.
The Quarantine UX
For developers
# Configure once per project
pip config set global.index-url https://packages.cascadeguard.com/simple/
# or
npm config set registry https://packages.cascadeguard.com/npm/
# Then use normally
pip install requests # ✅ Instant — known package, existing version
pip install requests==2.32.0 # ⏳ "Version 2.32.0 is in quarantine (released 6h ago). Available in 42h. Use --force to override."
pip install totally-new-pkg # ⏳ "Package 'totally-new-pkg' is in quarantine (first published 12h ago). Available in 36h."For enterprise admins (configurable)
# .cascadeguard/package-policy.yaml
quarantine:
default_hold: 72h # 3 days for most packages
critical_packages: # shorter hold for things we trust
- name: "requests"
hold: 24h
- name: "django"
hold: 24h
teams:
- name: "security-team"
override: true # can bypass quarantine
- name: "interns"
hold: 168h # 7 days for the intern team
# Auto-release rules
auto_release:
- condition: "maintainer_verified AND no_new_permissions AND no_install_scripts"
reduce_hold_to: 24hBottom Line
Secure packages complete the supply chain story: we secure the base image (OS layer), the dependencies (package layer), and orchestrate the lifecycle of everything built on top. The quarantine concept is smart, differentiating, and low-cost to implement as a proxy.
But timing matters. Ship secure images first, prove the platform works, then layer packages on top in Beta. Trying to do both during MVP would spread us too thin.
Recommendation: Approve the strategy. Add to Beta roadmap (Phase 2). No MVP work needed now — just keep the architecture flexible enough to add package proxy integration later.