Press Release

ActiveState Positioned as a Niche Player in the 2026 Gartner® Magic Quadrant™ for Software Supply Chain Security

ActiveState

July 7, 2026

VANCOUVER, British Columbia – July 7, 2026 – ActiveState, a global leader in open source software security and software supply chain management, today announced it has been positioned as a Niche Player in the 2026 Gartner Magic Quadrant for Software Supply Chain Security.

ActiveState attributes its placement to the strength of its approach: building open source components from source within its own SLSA Level 3 infrastructure, backing them with contractual remediation SLAs, and delivering audit-ready artifacts including signed SBOMs and VEX documents. ActiveState was evaluated alongside other vendors in the report based on Gartner's Ability to Execute and Completeness of Vision criteria for the software supply chain security market.

"AI is pulling open source into production at machine speed, and the security leaders accountable for it are the ones who get the call when something breaks," said Abby Kearns, CEO of ActiveState. "We govern open source at the point of ingestion, with components built from source and remediation we commit to contractually. The shift this market needs is from finding open source risk to governing it, and that is the work we are focused on."

Why the Market is Moving from Scanning to Governance

Open source software is in 98% of applications. It is also the primary route for software supply chain attacks. As AI coding assistants accelerate open source consumption, the volume of unvetted open source dependencies entering production has outpaced the security teams responsible for it. The conventional model, scanning for vulnerabilities after code is written, finds problems but does not resolve them, and it cannot keep pace with machine-speed development.

ActiveState governs the ingestion of open source at the point of origin. Its library of 79 million open source components spans 12 major language ecosystems, including Python, Java, Go, Rust, and more, with full transitive and OS-level dependency coverage. Every component is built from source within SLSA Level 3 infrastructure, ships with complete immutable provenance and a signed SBOM, and is continuously remediated under contractual SLAs: 5 business days for critical CVEs, 10 for highs, and 30 for all others. ActiveState customers, primarily medium-to-large enterprises in regulated industries, including financial services, healthcare, government, and infrastructure, report a 60-99% reduction in CVEs compared to using community open source artifacts.

ActiveState delivers directly into the package managers, artifact repositories, CI/CD pipelines, and AI coding assistants developers already use, enforcing security governance at the point of consumption rather than bolting it on afterward.

See it in Practice

To see how ActiveState governs the open source software supply chain at the point of ingestion, visit www.activestate.com.

Source citation: Gartner, Magic Quadrant for Software Supply Chain Security, by Aaron Lord, Johnny Walters, and Jason Gross, Published June 17, 2026.

Gartner does not endorse any company, vendor, product or service depicted in its publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner publications consist of the opinions of Gartner’s business and technology insights organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this publication, including any warranties of merchantability or fitness for a particular purpose.

GARTNER and MAGIC QUADRANT are trademarks of Gartner, Inc. and/or its affiliates.

About ActiveState

ActiveState enables DevSecOps teams to improve their security posture while simultaneously increasing productivity and innovation to deliver secure applications faster. The company provides a trusted catalog of more than 79 million secure open source components and container images that can be consumed via artifact repository, CI/CD, IDE, or directly from ActiveState. ActiveState continuously monitors and updates the open source components to help keep companies vulnerability-free. Companies using ActiveState see a 60-99% reduction in CVEs, improving their security posture, and save as much as 30% of developer time, eliminating the engineering toil typically associated with using open source in commercial applications. Learn more at www.activestate.com.

Media Contact

Brandy Coulsey

Brand and Communications Manager ActiveState brandyc@activestate.com