> For the complete documentation index, see [llms.txt](https://docs.stepsecurity.io/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://docs.stepsecurity.io/packages/secure-registry.md).

# Secure Registry

{% hint style="warning" %}
Available for **Enterprise** Tier only
{% endhint %}

Secure Registry is an authenticated upstream registry that sits between your developers, CI runners, and the public package registries (npm and PyPI). Every metadata request and tarball download flows through Secure Registry, which evaluates it against your configured security controls before returning a response. Requests that violate a control are blocked or modified at install time, regardless of whether the install runs in CI or on a developer's laptop.

### How it compares to GitHub Checks

Secure Registry complements [Package Cooldown](/github/github-checks/configuration.md#package-cooldown) and [Package Compromised Updates](/github/github-checks/configuration.md#package-compromised-updates) in GitHub Checks. The two enforce at different points in the dependency lifecycle:

|                         | GitHub Checks                                 | Secure Registry                                                                         |
| ----------------------- | --------------------------------------------- | --------------------------------------------------------------------------------------- |
| **Enforcement point**   | Pull request                                  | Package install                                                                         |
| **What it sees**        | Manifest and lockfile changes in a PR         | Every install request from any configured client                                        |
| **Scope**               | Repositories under StepSecurity GitHub Checks | CI runners, developer machines, and artifact managers configured to use Secure Registry |
| **Result of violation** | PR check fails, blocking merge                | Request is blocked or the response is modified at install time                          |
| **Ecosystems**          | npm, PyPI                                     | npm, PyPI Beta                                                                          |

Using both gives you layered protection: PRs cannot introduce known-bad dependencies, and environments that bypass PR review (developer laptops, ad-hoc CI scripts, fresh clones with floating versions) cannot install them either.

### How it works

* **Step 1:** Configure your developers' package clients (npm or pip), CI runners, or your artifact repository manager (JFrog Artifactory, Google Artifact Registry) to use the Secure Registry URL as the upstream registry.
* **Step 2:** Every package request flows through Secure Registry, which evaluates it against the controls you have enabled for that ecosystem.
* **Step 3:** Each evaluation is recorded in the **Policy Evaluations** log and visible in your StepSecurity dashboard.

**Follow this interactive demo to see how it works:**

{% embed url="<https://app.storylane.io/share/zqnxshnyvnza>" %}

### Supported ecosystems

| Ecosystem | Status    |
| --------- | --------- |
| npm       | Available |
| PyPI      | Beta      |

#### In this section

* [**Policy**](/packages/secure-registry/policy.md): configure the security controls Secure Registry enforces (Cooldown Period, Compromised Packages, Typosquatting Protection), per ecosystem.
* [**Policy Evaluations**](/packages/secure-registry/policy-evaluations.md): review the audit log of every request that flowed through Secure Registry, including the source machine or workflow run behind each one.
* [**Setup Guide**](/packages/secure-registry/setup-guide.md): get your credentials and configure your package manager to proxy through Secure Registry, including optional source attribution.


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://docs.stepsecurity.io/packages/secure-registry.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.