mckeane mcbrearty

Static supply chain scanner catches npm & PyPI attack patterns CVE databases miss: install scripts, credential theft, child process spawning, network exfil. 100 detectors, sandbox routing for eligible packages, GitHub App + CLI. Free plan.

Every app today relies on hundreds of open source packages written by strangers. Tools like npm audit and CVE databases only catch known threats (attacks that already happened) When you install a dependency or open a pull request, Dependency Guardian downloads the package tarball and runs behavioral detectors directly against the source code. No CVE lookups. Just static analysis. That means it can catch zero day attacks before they ever reach your production pipeline.