This page documents how Anaconda builds, secures, and maintains packages in theDocumentation Index
Fetch the complete documentation index at: https://anaconda.com/docs/llms.txt
Use this file to discover all available pages before exploring further.
main channel. These practices support the integrity and security of packages delivered to Anaconda customers.
This documentation reflects Anaconda’s practices as of June 2026. Anaconda continues to evolve its security capabilities based on customer needs and industry developments.
Package intake and source review
Before packages are added to Anaconda channels, they undergo a review. This review assesses repository validity and authenticity, package popularity and community engagement, development activity, maintenance status, and known vulnerabilities. Anaconda builds packages from source code whenever possible, providing visibility into package contents. For select components that require binary distribution (such as CUDA packages), Anaconda works with trusted partners. Anaconda verifies source materials using SHA256 checksums and maintains version pinning in build specifications. The pinned checksum confirms that the source artifact Anaconda builds from matches the checksum recorded in the build specification. If the upstream artifact is altered after pinning, verification fails and the build does not proceed. Anaconda introduces a time delay between source availability and build initiation, providing a window for upstream compromises to surface before they enter the build pipeline.Build environment
Package builds occur in dedicated, isolated environments separated from general corporate networks. These environments are protected with role-based access controls and are accessible only by Anaconda employees via authenticated access. Role-based permissions restrict package publishing to designated personnel on the package building team. Build and release activities, access events, and configuration changes are logged. Build and release environments are separated, with segregated credentials ensuring that access to the build infrastructure does not also grant the ability to publish packages to distribution channels. Rather than accepting pre-compiled binaries for most packages, Anaconda compiles from source within controlled build infrastructure, providing visibility into what goes into each package. Build processes verify that declared dependencies exist and are available. Anaconda tests downstream dependencies when necessary to verify that updating one package does not break dependent packages.Access controls and code review
Access to build and release systems is restricted to authorized personnel through role-based access controls, multi-factor authentication, and the principle of least privilege. Only employees who specialize in package building have permission to modify package recipes. All recipe changes require peer review from other team members before being merged.Dependency management
Anaconda separates bundled dependencies and uses dynamic linking over static linking where feasible. This practice makes each dependency independently manageable. When a vulnerability is discovered in a library, that specific component can be targeted for updates without requiring changes to all packages that depend on that component. This separation also results in more accurate vulnerability reporting. Third-party scanning tools that analyze upstream sources might report vulnerabilities that do not apply to Anaconda’s packages due to differences in how they were built. Because Anaconda’smain channel is a curated repository with controlled package intake, it is not susceptible to the following attack types:
- Typosquatting: Attackers publish packages with names similar to popular packages to trick users into installing them
- Dependency confusion attacks: Malicious packages are uploaded to public repositories with names matching an organization’s internal packages
main channel only contains packages that have been reviewed and built by Anaconda, eliminating these vectors.
Package integrity
Anaconda signs repository metadata for themain channel. The signature enables verification that package information—including dependencies, licenses, and package contents—has remained unmodified since Anaconda published the package. Signature verification and management capabilities are provided through the Anaconda Platform (Cloud and Self-hosted) and Package Security Manager. When verification is enabled through these products, users are alerted if metadata has been altered between Anaconda’s repository and their system.
Packages undergo malware scanning before distribution. Packages are uploaded from the secure build network directly to Anaconda’s distribution channels, maintaining a chain of custody from build to distribution.
For Windows environments, Anaconda signs binaries with Authenticode certificates, meeting enterprise security requirements for verified software vendors.
Vulnerability management
Anaconda matches vulnerability reports to packages in its distribution and verifies the accuracy of matches for Critical and High CVSS scores for packages in themain channel. Vulnerability statuses are updated based on this review.
Anaconda actively monitors vulnerabilities in distributed packages and prioritizes expedited package updates based on severity. The speed of updates depends on the complexity of the packaging work required. Anaconda typically addresses vulnerabilities by updating to newer versions of packages that include upstream fixes. To receive these fixes, users should update to the latest available version of the affected package. When necessary, Anaconda can remove packages from distribution through a formal package removal process.
Vulnerability information for packages in the main channel is available through the Anaconda Platform, including:
- Vulnerability identification and matching to packages in your channels
- Status tracking with curation metadata and review references
- Vulnerability notifications based on configurable score thresholds
- Environment scanning to identify CVEs associated with installed packages
- Downloadable CVE reports per channel
Anaconda installers
Anaconda Distribution and Miniconda installers are point-in-time snapshots of a compatible set of packages tested to work together at the time of release. Installers are not rebuilt when individual packages receive security updates between releases. To receive the latest security fixes for packages included in an installer, users should update theirbase environment after installation. Anaconda publishes updated packages to the main channel on an ongoing basis, and these updates are available immediately through conda regardless of which installer version was used.
For instructions on updating your environment, see Updating conda packages.
Reporting a vulnerability
If you believe you have found a security vulnerability in an Anaconda package or product, you can report it through our Vulnerability Disclosure Program, hosted on Intigriti. Reports are reviewed by our security team, and eligible submissions might qualify for a reward. Submit reports at: https://app.intigriti.com/programs/anacondainc/anacondavdp/detailSoftware transparency
Anaconda provides license metadata using standardized SPDX tags and makes Software Bills of Materials (SBOMs) available for packages in themain channel through our enterprise offering.
Compliance
Anaconda’s security program is certified to ISO/IEC 27001:2022 and maintains a SOC 2 Type II attestation. Controls have been drafted in accordance with the NIST Cybersecurity Framework and NIST Secure Software Development Framework.If you have questions about Anaconda’s security practices, reach out to us through our support team or through your account representative.