Flox gives organizations deterministic, auditable control over every dependency in their software supply chain: from first commit to production deployment. Provable provenance and deterministic SBOMs means no guesswork.
Trusted by teams building the future
Flox produces SBOMs that are deterministic. Every package resolves to an immutable, hash-addressed store path; the full transitive dependency graph drives, and can be derived from, the realized output. So when CVEs drop, you can identify vulnerable environments at the dependency level → patch by editing declarative definitions → promote a new reference.
What ran in production at decision time? How was it built? When? With which dependencies? With Flox, build provenance is encoded in the artifact itself: technical DNA that auditors can use to trace and enumerate a package's provenance and inputs. Governance travels with each artifact, enforced by the same Git-based workflow that controls PR history, approvals, signatures, and diffs.
Keep your existing deployment patterns: Flox drops right into OCI image workflows, but makes a pinned environment reference—a Git commit, FloxHub generation, or Nix store-path hash—the unit of promotion. Flox environments travel as-is from local laptops through CI to production. For Kubernetes, Flox emits distroless OCI images; on VMs and bare metal, activation is a single command.
With Flox, ML researchers and MLOps teams declaratively define CUDA/Python stacks, promoting by switching a pinned reference. The same environment is validated in eval/CI, then deployed to production. Flox even allows conflicting CUDA stacks to run on the same machine at the same time. Teams can version and publish model artifacts, checkpoints, and pipelines to private Flox catalogs.
Flox shortens the path from R&D to production, eliminating the rebuild → publish → redeploy loop that gates every dependency change. Rollback is atomic: a single reference switch back to a known-good state. Provenance and SBOMs are baked into Flox environments and Flox-built packages, not reconstructed after the fact.
Flox provides deterministic foundations across the software lifecycle:
Tracing a production artifact back to its inputs is often a forensic exercise in correlating image digests, CI logs, and build scripts. With Flox, provenance is structural: baked into each environment or package's dependency graph.
Most SBOM tools are approximations, inferred after the fact. A Flox SBOM is fully enumerated from the dependency graph of each environment's realized store paths—the same declarative specification that produces the runtime. Flox SBOMs are authoritative because they're deterministic.
With Flox, every dependency resolves to a hash-addressed store path, so you can always identify exactly which packages in which environments are vulnerable. Patch by editing a declarative definition: bump the affected package, validate, and promote a new pinned reference. Changes are atomic, reviewable, and auditable.
Can you answer an auditor's questions from the build itself, or do you need a separate compliance process? With Flox, technical provenance—what ran, how it was built, what it depends on—is encoded in the runtime environment. Governance—who authored what change, who reviewed it, when it was merged—lives in Git history. The engineering workflow is the evidence.
Flox gives organizations complete control over their software inventories. Teams build and publish packages to private catalogs, without relying on mutable upstream repositories. They can install software from the Flox Catalog, a versioned, curated collection of 190,000 packages, each an immutable, hash-addressed artifact with provable provenance.
“Flox removes the risk of environment drift by letting you replicate your exact production environment during development, regardless of architecture differences between OS'es.”
Priya Ananthasankar
Principal Software Engineer at Microsoft
“Flox takes the friction out of onboarding PostHog team members and contributors. Before, our local dev guide comprised 16 steps with 14 caveats. Now, it's just a universal flox activate.”
Michael Matloka
Senior Product Engineer at PostHog
“When you ask me to build something, I don't just write code—I create the entire environment. With Flox, I can search packages, install dependencies, and build and run your app.”
Claude
AI Coding Agent
Explore deterministic foundations for secure, reproducible software delivery. Talk through your requirements with our team.
