Install-path firewall · open source

Block malicious packages before they download.

One command turns it on. Every npm, pip, cargo, gem, and go install then gets checked against 25 supply-chain signals, and the malicious or typosquatted ones are blocked before the download even starts.

$ curl -fsSL https://chain305.com/install.sh | bash
$ chainsaw guard init --install

Paste both lines and your installs are checked locally from here on, before anything downloads. To see it work, run npm install crossenv (a known typosquat of cross-env) and watch it stop.

It runs on your own machine, and it is open source. It asks once before sharing anonymous usage (defaults to yes; decline anytime with chainsaw telemetry off; never from CI).

Works with the package managers and registries across your stack

npmPyPIMavenGradleDockerAPTyumDNFNuGetGoCargoSwiftCocoaPodsRubyGemsPackagistHugging FacenpmPyPIMavenGradleDockerAPTyumDNFNuGetGoCargoSwiftCocoaPodsRubyGemsPackagistHugging Face

See it block

Watch it block a typosquat

Turn the guard on with one line in your shell. After that a normal npm install gets checked first, and a typosquat gets refused before the package downloads. The bad tarball never lands on disk.

How the local guard actually works

One hook in your shell. Every decision made on your machine.

  • A shell hook, not a daemon.

    chainsaw guard init --install wires into npm, pip, cargo, gem, and go, so installs get checked the moment you run them — no background service, no registry repoint. Your clean installs and lockfiles stay on disk. The only thing it ever shares is a package it blocked, and only after it asks you once.

  • Seeds ride inside the binary.

    Known-malicious packages and typosquats are matched against data shipped in the binary itself, so the check returns in single-digit milliseconds even with the network unplugged.

  • Telemetry is a separate switch — and it asks first.

    First run asks once, defaulting to yes, and shows exactly what it would share before you answer. It stays silent in CI, and chainsaw telemetry on|off flips it whenever you want.

  • The engine is readable, and all 25 signals are free.

    The policy logic lives in the open at github.com/chain305/chainsaw-core, and the full detection set runs on the free tier. It stays free even once your whole workflow leans on it.

How it fires

One signed Rego policy, checked at five surfaces against the same input.

The same policy runs on your laptop, in CI, at Kubernetes admission, at runtime, and on the prompt your coding agent fires when it installs something on its own. One rule to write, and the decision is identical everywhere it lands.

  • left-pad@1.3.1

    ci · npm

    REFUSED
  • cryptography==42.0.0

    dev · pip

    MONITOR
  • @chainsaw/sdk@2.1.0

    ci · npm

    ALLOWED
  • log4j-core@2.17.2

    k8s · maven

    REFUSED

Auto-sorting install queue · refuses on the install path

mcp · agent prompt

consulting 25 signals · signed bundle

MCP-agent prompt · consulted before install

hub → 4 spokes

  • BU-EU
  • BU-APAC
  • BU-AMER
  • BU-EMEA

Hub-and-spoke federation · live spoke health

25 supply-chain signals · live

maintainer takeover · 6dworm burst · npmhidden unicode · pipKEV-listed CVE · log4jinstall-script exfil · cipublish velocity anomalytyposquat · rqeuestssignature mismatchdeleted-author republishpost-install network callmaintainer takeover · 6dworm burst · npmhidden unicode · pipKEV-listed CVE · log4jinstall-script exfil · cipublish velocity anomalytyposquat · rqeuestssignature mismatchdeleted-author republishpost-install network call

25 supply-chain signals beyond CVE

signed audit row

  • ts2026-05-26T09:14:22Z
  • actorci@platform-eu
  • packagerequests@2.32.3
  • signalmaintainer takeover
  • verdictrefused
  • scopeBU-EU · prod
signed · ed25519 · siem-bound

One signed audit row · same export for SOC 2 + ISO 27001

Who it's for

Same guard. Four jobs.

If you write code

Malicious updates and typosquats get refused before they touch your disk.

The xz backdoor shipped as a routine update. event-stream got a new maintainer who quietly slipped in a wallet stealer. Chainsaw reads the package at install time and refuses the ones whose install script reaches for your env vars or whose name shadows a popular library by one keystroke. The block happens before download, so the bad tarball never lands on your disk and there is nothing for you to clean up. You see why it stopped, then you decide.

  • Type expresss instead of express and the guard catches the typosquat before the install even resolves.
  • It reads install scripts for the part that phones home with your env vars, the exact trick event-stream used.
  • When a maintainer goes quiet for a year and then pushes a burst of releases, that pattern is one of the 25 signals it weighs. You get all 25 on the free tier.
See how →

If you run AppSec

Cut the window between disclosure and defence. A new CVE drops, you push one policy edit, and the affected version stops installing everywhere. No coordinated upgrade PRs. Supply-chain attacks SCA misses, like install scripts, maintainer takeover, and worm bursts, run on the same path.

  • Block on any of four scoring systems, and CVSS is never forced on you as the default.
  • All 25 signals on every tier, including the ones SCA tools quietly omit on free.
  • The audit row records who overrode a block and why, so the post-incident review already has its answer.
See how →

If you own DevSecOps or Compliance

Policy runs on the install path, and the evidence lands in the dashboard. The same license, version, and provenance rules apply in CI, on laptops, and in Dockerfiles. Audit trails export straight to SOC 2, ISO 27001, and HIPAA reviews without a separate collection step.

  • The SBOM auditors actually accept. Generated at install time, not stitched together at audit time.
  • Per-tenant rules with exception expiry, so the allow-list never rots into permanent exceptions.
  • Audit logs export to Splunk, Sentinel, and QRadar in the format reviewers accept, so the follow-up questions stop.
See how →

If you're in Enterprise IT

One deployment, every engineering org inherits the baseline. Teams layer local rules on top without a central-vs-team fight. Managed SaaS, your own cloud, or fully air-gapped: same binary, same API, same policy format.

  • Same binary in SaaS, your VPC, or fully air-gapped. The deployment model isn't a different product.
  • SAML, OIDC, and SCIM on Pro and up. No SSO tax dressed up as a feature.
  • Why hub-and-spoke inheritance ends the central-vs-team fight, and what the team lead actually sees before an override ships.
See how →

Scope

It guards the install path. That's it.

Chainsaw checks a package the moment something tries to fetch it, then gets out of the way. Anything that sits on your install path should do one job well, so the list below stays short on purpose. What changes day to day is that bad packages stop showing up.

  • Won't read your source code.

    Package metadata, manifests, lockfiles. Never your repo.

  • Won't open PRs.

    Renovate and Dependabot own patch mechanics. Our decisions feed them.

  • Won't audit your CI.

    Branch protection and OIDC trust live in a CI-posture product.

  • Won't crawl for secrets at rest.

    TruffleHog and Gitleaks own that. We stop install-time exfiltration.

  • Won't ship a laptop agent.

    Hardening goes through MDM payloads (Jamf, Intune). No daemon, no kernel module.

  • Won't manage vendor SBOMs.

    TPRM platforms ingest those. We produce SBOMs for what flows through the proxy.

Run it for the org

Policy that holds at the registry, even on a laptop that never ran the CLI.

The free guard covers one developer's machine. To enforce the same checks across an org, put Chainsaw between your developers and the upstream registries. Every install hits one signed policy before the bytes download, and the block holds on machines where nobody installed the CLI. Every decision writes a signed audit row, the same row you hand an auditor for SOC 2 or ISO 27001.

  • Managed SaaS

    We host the stack. HTTPS endpoint, admin URL, SSO. The lowest-effort path for teams without compliance constraints.

  • Your VPC (data plane on-prem)

    Customer-controlled Postgres, blob store, dashboard, audit logs. Vendor-managed signed-feed bundles pull one-way, with no inbound connection from us, ever.

  • Air-gapped

    CHAINSAW_OFFLINE=1 disables every phone-home path. Sideload intelligence on the cadence your one-way diode allows. Same Rego, same audit row.

Install path

chainsaw-proxy · live decisions

  • @chainsaw/express@4.21.0

    developer · npm · cache hit · signed bundle

    ALLOWED
  • requests==2.32.3

    ci · pip · maintainer takeover · 6d old

    REFUSED
  • axios@1.7.2

    developer · npm · publish velocity anomaly

    INSPECTING
  • actions/checkout@v4

    ci · github actions · policy floor · KEV clear

    ALLOWED
+47 refused · maintainer takeover+12 monitor · publish velocity+3 quarantined · hidden unicode+21 refused · install-script exfil+8 allowed · KEV clear+5 refused · KEV-listed CVE+47 refused · maintainer takeover+12 monitor · publish velocity+3 quarantined · hidden unicode+21 refused · install-script exfil+8 allowed · KEV clear+5 refused · KEV-listed CVE

One audit row per install · refuses on the install path

Run it as managed SaaS, in your own VPC, or fully air-gapped. SSO and SCIM come with Pro; SIEM export and on-prem/air-gapped deployment are Enterprise; the audit trail ships on every plan. See full deployment models →

The CLI and policy engine are open source at github.com/chain305/chainsaw-core. Enterprise is the hosted and self-hosted control plane on top: multi-tenant server, dashboard, SSO, and premium intelligence.

Compared to the alternatives

More than a registry. Not a scanner.

Most teams already run a hosted registry or an SCA scanner. Both solve real problems, but neither one runs on the install path. Chainsaw is the layer in between: a firewall on the request itself, deciding what gets through before the download starts.

More than a registry

vs Cloudsmith · JFrog · Nexus · Verdaccio

  • Sits in front of npm, PyPI, Maven, and Docker. Keep the registry you already have, since there is nothing to migrate.
  • Refuses on the install path. Caching alone doesn't decide what's safe to install.
  • One Rego rule fires at every surface (PR, install, K8s admission, runtime). A registry doesn't reach those.
Read the full diff →

Not a scanner

vs Snyk · Sonatype · Mend

  • Refuses on install, before bytes land. It is not a comment on the PR after the fact.
  • Refuses on 25 signals SCAs miss, like install scripts, maintainer takeovers, worm bursts, hidden Unicode, and AI pickle ops.
  • Org-wide enforcement, not an opt-in CLI per developer.
Read the full diff →

Objections, handled

Common questions

Do I need an account to start?

No. The local guard installs and runs with no account and no server. `chainsaw guard update` pulls the full public OpenSSF malicious-packages feed directly from OpenSSF without sign-in. Sign in only when you want to sync policy across a team.

Is it actually free, or is this a trial?

The local guard is free forever, and all 25 detection signals run on it. There's no clock and no feature gate on detection. The seed data ships inside the binary, so it catches known-malicious packages and typosquats offline on day one. `chainsaw guard update` pulls the larger public OpenSSF malicious-packages feed directly from OpenSSF. Paid plans add the hosted control plane like shared policy, dashboards, SSO, and SIEM, never the protection itself.

Will this break my installs or my CI?

Not if you start in monitor mode. Every rule can log its decision without blocking, so you see what would have failed before you flip it to enforce. Repeat installs hit the cache, so CI usually gets faster, not slower.

How is Chainsaw different from package scanners and SCA tools?

They report. PR-comment scanners annotate the pull request, and SCAs file dashboard findings. Chainsaw refuses on the install path, before bytes land. The same 25 signals (install scripts, maintainer takeover, worm bursts, hidden Unicode, AI pickle ops) fire on every tier including free, and the same Rego rule fires at PR, install, K8s admission, and runtime. Run both if you want. /vs-sca/ has the per-ecosystem signal map.

How is it different from Cloudsmith, JFrog, or Nexus?

Those host packages. Chainsaw refuses them on the install path. There is no migration: your developers keep pulling from npm, PyPI, Maven, Docker, and the rest, and Chainsaw decides which requests get through. Run both if you like. /vs-artifact-managers/ has the full diff.

Does it work with monorepos, Yarn workspaces, pnpm?

Yes. Chainsaw proxies the registry, so your workspace layout is untouched. Turbo, Nx, Lerna, Yarn workspaces, and pnpm workspaces all work without modification.

What happens if Chainsaw itself goes down?

In monitor mode it fails open with an audit record, so installs never break. In enforce mode the default is fail-closed, but you can flip to fail-open with cache-only fallback per policy. The cache keeps serving previously-allowed installs during a full outage.

Can we run it on-prem or air-gapped?

Yes, on the Enterprise plan. The CLI can bake the server URL at build time so air-gapped users never see a public origin. For custom deployments, book a 30-minute call.

Two commands, local, free

Run it, then try to break it

Paste two lines and your next npm or pip install gets checked locally, before anything downloads. Try npm install reqeusts (a typo of requests) and watch it stop. It is open source and free forever, and you can start without an account.