Features

The registry your security team
will actually approve.

Nexus and JFrog store your artifacts. Trunx understands them — scanning, signing, promoting, and governing every package across its entire lifecycle.

Native Dagger integration

Your entire pipeline. As typed code.

Official Trunx Dagger module. Build, scan, sign, and promote in one pipeline that runs on any CI. No YAML. No vendor lock-in.

Go SDKPython SDKTypeScript SDK
// build → scan → sign → push. One call.
SOURCEgit@repo · abc123f
BUILDdocker build12.4s
SCANGrype · 0 critical8.2s
SIGNcosign keyless0.8s
PUSHchannel: stable4.1s
// same pipeline on every CI — no rewrites
Supply chain security

Zero trust. Total verification.

Automatic scanning, signing, and provenance on every push — before anything reaches production.

CVE scanning on push
SBOM auto-generation
Sigstore signing
License compliance
Secrets detection
SLSA provenance
trunx security scanlive
ARTIFACTVERSIONTYPERESULT
npm:express@4.18.14.18.1npmCLEAN
maven:spring@6.0.96.0.9mavenCLEAN
log4j-core@2.14.02.14.0mavenCRITICAL
npm:lodash@4.17.214.17.21npmCLEAN
docker:nginx@1.25.01.25.0dockerSCANNING
pypi:requests@2.31.02.31.0pypiCLEAN
helm:ingress@4.7.14.7.1helmWARN
● 4 clean● 1 critical● 2 warnscan #4821 · just now
Release management

Ship with confidence.

Every release goes through promotion gates before it reaches production. No surprises.

Immutable releases
Release channels
Release gates
Version diff
Semver enforcement
Promotion workflows
DEV
v2.5.0-dev.14
Semver enforcementRelease gates
STAGING
v2.5.0-beta.3
Immutable releasesRelease channels
PROD
v2.5.0
Promotion workflowsImmutable releases
LIVE
Governance & compliance

Policy as code. Compliance built-in.

Write rules in OPA/Rego. Enforce them automatically across every registry and team.

1,204ALLOW
3DENY
14QUARANTINE
Policy as code (OPA/Rego)Quarantine modeAudit logsAir-gap support
policy.regoOPA / Rego
1package trunx.registry
2
3default allow := false
4
5allow if {
6 input.user.role == "developer"
7 input.artifact.cve_score < 7.0
8 not input.artifact.license_bad
9}
10
11deny if {
12 input.artifact.has_critical_cve
13}
14
15quarantine if {
16 input.artifact.cve_score >= 7.0
17}
Proxy & intelligence

One registry. All dependencies.

Proxy public registries — every package scanned and governed, whether internal or external.

Public registry proxy

Proxy npm, PyPI, Maven Central, Docker Hub through Trunx. Every pull is cached, scanned for CVEs, and recorded in audit logs.

Dependency graph

Know the blast radius before you upgrade anything.

Auto-upgrade PRs

Detect new versions, open PRs automatically.

Webhooks & API

Full REST API + webhooks for any CI/CD.

Universal CLI

trunx push/promote/scan across all formats.

Prometheus metrics

Scrape /metrics. Alert on what matters.

Version diff

Compare any two versions: changed files, new deps, added CVEs.