Engineering deep-dives, tutorials & updates.
What we're building, how we think about artifact security, and what we've learned along the way.
Why We Built Trunx: One Registry to Rule Them All
Nexus costs six figures. JFrog costs more. Both require a dedicated platform engineer to keep alive. We asked: what if the registry was just boring infrastructure?
Read →Every Public Package Is a Risk. Proxy It.
Log4Shell. XZ Utils. The npm event-stream incident. Every supply chain attack started with a public package your team trusted blindly. Here's how Trunx makes every external dependency a governed artifact.
Read →Promotion Gates: How Your Registry Should Protect Production
Most artifact registries are dumb storage. They have no opinion about whether a package is safe to promote to production. Trunx thinks that's the wrong design.
Read →Your Artifact Registry Is Your Biggest Security Blind Spot
Most teams invest heavily in code review and CI security — then ship untrusted artifacts to production without a second thought. Here's what automatic CVE scanning, SBOMs, and Sigstore signing look like in practice.
Read →