On-premise · Sovereign · Air-gap ready

Host your own
RPM, APK and DEB repositories.

One platform. On-premise. Sovereign. No cloud dependency. Native validation, GPG signing and distribution for Debian/Ubuntu, RHEL/Alma/Rocky and Alpine — in a single instance you control end to end.

Request a demo Get Community Edition — free
On-premise · zero cloud dependency RPM + APK + DEB native Deploy in < 5 minutes Built-in security (AV, CVE, GPG, audit)

Every package goes through

Upload
Package received
Scan AV
Antivirus
CVE Analysis
CVE database
GPG Sign
Auto-signed
CISO Approve
Dual control
Distribute
APT · RPM · APK

RepoD is...

A private, self-hosted software repository infrastructure that natively manages RPM, APK and DEB in a single instance — for teams who want full control over their software supply chain.

The reality

Three package formats.
One tool that only speaks for one of them.

Debian/Ubuntu, RHEL/Alma/Rocky/Fedora, Alpine — most teams end up with one tool per format, separate access controls, and zero unified view. RepoD brings all three together in a single self-hosted instance.

DEB
Debian · Ubuntu
Managed APT repository tree with GPG-signed release files.
RPM
RHEL · AlmaLinux · Rocky · Fedora
Managed repository metadata, signed and ready for yum/dnf.
APK
Alpine Linux
Native Alpine repository index, signed and distributed.
1
platform, one single instance
Same users, same roles, same audit trail for all three formats.
Three frictions RepoD removes
01

Three tools, three learning curves

A different tool for DEB, a different tool for RPM, and home-grown scripts for APK — each format comes with its own toolbox, its own conventions, its own credentials. Your teams juggle three systems for a single mission: distributing trusted packages.

02

No unified audit trail

When an auditor asks "who published this package, when, and after what verification?", the answer depends on the format — and often there is no answer at all. NIS2 Article 21 requires proof, not three separate logs.

03

Cloud tools don't work in sovereign environments

Most modern package management platforms are built for SaaS — external dependencies, telemetry, mandatory cloud accounts. In air-gapped environments, the public sector, defence or finance, that simply isn't an option.

The answer isn't a better public mirror.
It's a private repository where every package — RPM, APK or DEB — is validated, signed, approved and logged before it reaches a single server in your infrastructure.
See how RepoD works
Security Pipeline

Security built into every distribution, for every format

Whether it's a .deb, .rpm or .apk, the same 7-step pipeline runs automatically before a package reaches your repository — humans only intervene at the review step.

01
Upload
Developer uploads a .deb, .rpm or .apk via REST API or UI
02
AV Scan
A full antivirus scan runs on the binary
03
CVE Scan
Checks for known vulnerabilities with CVSS scores
04
Review Queue
Security Officer reviews scan results in the CISO dashboard
05
GPG Sign
Package is signed with the repository GPG key
06
Index
Repository metadata regenerated (APT: Packages.gz · RPM: repomd.xml · APK: APKINDEX)
07
Distribute
apt / dnf / apk pulls the verified, signed package to production
All pipeline steps are logged and exportable
Every scan result, every approval, every rejection — exported as JSON for your SIEM or compliance report.
Audit log reference →
Integrations

Fits into your existing stack

Repod exposes a full REST API. Every pipeline, tool, and platform that can make an HTTP call can integrate with it.

CI/CD
GitHub Actions

Upload packages on release via the REST API. SARIF results post directly to GitHub Code Scanning.

GitLab CI

Publish .deb and .rpm artefacts to Repod from your pipeline with a single curl call.

Jenkins

Use the Repod REST API in a post-build step to push packages and gate on CVE scan results.

Infrastructure
Ansible

Point apt/dnf at your Repod endpoint. All nodes consume only GPG-verified, CVE-cleared packages.

Terraform / OpenTofu

Provision Repod alongside your infrastructure. Bootstrap distributions and upload base packages on first apply.

Docker / Kubernetes

Configure base images to pull from Repod. Your containers only ever install scanned, approved packages.

Security & Compliance
SIEM (Splunk / Elastic)

Stream the immutable audit trail via webhook or JSON export into your SIEM for unified security monitoring.

GitHub Code Scanning

Export CVE scan results as SARIF 2.1.0 and upload directly to GitHub Security tab — no extra tooling needed.

Vulnerability Management

Webhook notifications on new critical CVEs let your VM platform (Tenable, Qualys, Wiz) stay in sync with your package inventory.

Full REST API — every action is scriptable
Upload, promote, query, and approve packages programmatically. Interactive Swagger UI at /api/docs on your Repod instance.
API reference
Interface

Designed for security teams, not just developers

A clean, information-dense UI that gives your CISO real-time visibility without opening a terminal.

repod.acme.corp
Repod Repod
Dashboard Packages Review Queue 3 CVE Scanner Audit Log Settings

Dashboard

Last updated 2 minutes ago

Total Packages
1 247
+12 today
Pending Review
3
Needs action
Critical CVEs
0
All clear
Distributions
15
4 APT · 9 RPM · 2 APK
PackageVersionDistributionStatusUploaded
nginx 1.27.3-1 focal Approved 2h ago
openssl 3.0.14-0 jammy Pending 3h ago
libssl-dev 3.0.14-0 jammy Scanning 3h ago
curl 8.7.1-1 noble Approved 5h ago
openssh-server 9.7p1-1 noble Rejected 1d ago
Comparison

How RepoD stacks up

The only self-hosted repository manager handling DEB, RPM and APK natively in one instance — with security validation built in, no add-ons, no extra licences.

Feature Repod You Nexus OSS Artifactory CE Aptly Cloudsmith
APT & RPM repository
Native APK (Alpine) repository
Web UI
Built-in CVE scanning
AV malware scan
CISO review queue
GPG auto-sign
Audit trail
NIS2 compliance mode
RBAC (5 roles)
Self-hosted / air-gap
Single container
Open source (Community)

Comparison based on publicly available documentation. Last reviewed May 2026.

NIS2 · SecNumCloud ready

Compliance out of the box

Repod maps directly to NIS2 Article 21 requirements. Every action is logged, every package is traceable, every approval is documented — so your audit is ready when the auditor arrives.

Art. 21(2)(a) Risk analysis & security policies
Covered by: Audit trail + RBAC
Art. 21(2)(b) Incident handling
Covered by: CVE alerts + review queue
Art. 21(2)(d) Supply chain security
Covered by: GPG signing + AV/CVE scan
Art. 21(2)(e) Acquisition & development security
Covered by: Dual-control approval workflow
Art. 21(2)(l) Cryptography & encryption
Covered by: GPG + TLS (reverse proxy)
Read the full NIS2 compliance matrix
SecNumCloud alignment
ANSSI qualification path

Architecture documented for SecNumCloud qualification reviews. Self-hosted deployment with no foreign cloud dependencies meets sovereignty requirements.

One-command audit export
JSON · CSV · Syslog compatible
GET /api/v1/audit?from=2026-01-01&format=json
ISO 27001 evidence-ready
Repod's audit trail covers controls A.12.5 (software installation) and A.12.6 (vulnerability management).
Open source · AGPL-3.0 + commercial

RepoD Community
is here.

RepoD Community natively manages DEB, RPM and APK in a single self-hosted instance, under the AGPL-3.0 license. Clone the repo, spin it up with Docker Compose — no account required, no telemetry.

GPG signed
Antivirus scanned
CVE analyzed
NIS2 compliant
Immutable audit log
Air-gap ready
SBOM export
SHA-256 verified
Dual control
Zero telemetry
Self-hosted
AGPL-3.0
GPG signed
Antivirus scanned
CVE analyzed
NIS2 compliant
Immutable audit log
Air-gap ready
SBOM export
SHA-256 verified
Dual control
Zero telemetry
Self-hosted
AGPL-3.0
View the GitHub repo DEB · RPM · APK See Enterprise in action

Community Edition · AGPL-3.0 + commercial · Read the docs →

Pricing

Simple, transparent pricing

Start free with the open-source Community Edition — DEB, RPM and APK in one instance. Enterprise plans are sized by the number of client machines (nodes) in your inventory and unlock fleet management, SSO and advanced security controls.

Community
Self-hosted, AGPL-3.0, no account required.
Free
Get it on GitHub
  • DEB, RPM and APK hosting — in a single instance
  • Package upload via REST API & drag-and-drop UI
  • Antivirus scan on every upload (blocking)
  • GPG auto-signing — Release/repomd/APKINDEX signed automatically
  • CVE vulnerability scan — informational, never blocking
+ 5 more features
Starter
Small fleets getting started with managed updates.
Contact us per year
Up to 25 inventory nodes
Contact sales
  • Email support
  • Fleet inventory & SSH scanning with CVE analysis
  • Remote package deployment (SSH, dry-run + confirm)
  • SBOM export — SPDX & CycloneDX
+ 5 more features
Popular
Business
Growing teams that need SSO and stronger CVE controls.
Contact us per year
Up to 100 inventory nodes
Contact sales
  • Everything in Starter
  • LDAP / Active Directory + OIDC SSO + TOTP MFA
  • API tokens for CI/CD pipelines
  • Advanced CVE policy + SLA alerts
+ 5 more features
Enterprise
Large fleets that need HA, mirroring and an SLA.
Contact us per year
Unlimited inventory nodes
Contact sales
  • Everything in Business
  • Scheduled mirroring of upstream repositories
  • High availability (multi-replica, shared storage)
  • Dedicated onboarding & roadmap input
+ 5 more features
All Enterprise tiers include
  • Everything in Community
  • Fleet inventory & SSH scanning with automated CVE analysis
  • Remote package deployment over SSH (dry-run + confirm)
  • SBOM export — SPDX & CycloneDX
  • Automated PostgreSQL + repository backups
  • LDAP / Active Directory + OIDC SSO + TOTP MFA
  • API tokens for CI/CD pipelines
  • Advanced CVE policy (block/review/warn) + SLA alerts
  • Email & webhook notifications (Slack/Teams/Mattermost)
  • Scheduled mirroring & high-availability (multi-replica)

No commitment · 30-day pilot available on all Enterprise plans

Live demos available now

See RepoD Enterprise in action

Get a personalised 30-minute walkthrough with a live RepoD instance. We'll show you the security pipeline, the CISO dashboard, and how to deploy DEB, RPM and APK repositories in your environment.

Request your demo

Or email us directly at [email protected]