Book a demo Get started

Install-path firewall

Refuses malicious packages on the install path — before a developer or a build ever sees them.

One signed policy bundle. Sixteen registries — npm, PyPI, Maven, Docker, and twelve more. The same Rego decision fires at PR, install, K8s admission, and runtime. Twenty-five supply-chain signals beyond CVE. SaaS, VPC, or air-gapped — one binary.

See the install path Read the architecture

Monitor mode in your first session. No card. No registry migration. Free tier is permanent.

Works with package managers and registries across your stack

npmPyPIMavenGradleDockerAPTyumDNFNuGetGoCargoSwiftCocoaPodsRubyGemsPackagistHugging FacenpmPyPIMavenGradleDockerAPTyumDNFNuGetGoCargoSwiftCocoaPodsRubyGemsPackagistHugging Face

Used by teams in fintech, devops, and platform engineering to keep dependency policy on the install path.

  • Fintech
  • DevOps platforms
  • Platform engineering
  • AI / ML teams
  • Healthcare engineering

Customer logos arrive once permission is on file. We won't ship someone else's brand on this page without it.

Catches the attack class behind

Compared to the alternatives

More than a registry. Not a scanner.

The two layers buyers most often land on first — a hosted registry or an SCA / dependency scanner — solve real problems, but neither runs on the install path. Chainsaw is the layer in between: a firewall on the request, not a destination, not a dashboard.

More than a registry

vs Cloudsmith · JFrog · Nexus · Verdaccio

  • Sits in front of npm, PyPI, Maven, Docker. No migration. Keep the registry you have, or replace it — Chainsaw hosts your internal artifacts too.
  • Refuses on the install path. Caching alone doesn't decide what's safe to install.
  • One Rego rule, every surface — PR, install, K8s admission, runtime. A registry doesn't reach those.
Read the full diff →

Not a scanner

vs Socket · Snyk · Sonatype · Mend

  • Refuses on install — before bytes land. Not a comment on the PR after the fact.
  • Refuses on 25 signals SCAs miss — install scripts, maintainer takeovers, worm bursts, hidden Unicode, AI pickle ops.
  • Org-wide enforcement, not an opt-in CLI per developer.
Read the full diff →

Scope, named

What Chainsaw won't do

One control point on the install path. Compose with the tools already good at the rest.

  • Won't read your source code.

    Package metadata, manifests, lockfiles. Never your repo.

  • Won't open PRs.

    Renovate and Dependabot own patch mechanics. Our decisions feed them.

  • Won't audit your CI.

    Branch protection and OIDC trust live in a CI-posture product.

  • Won't crawl for secrets at rest.

    TruffleHog and Gitleaks own that. We stop install-time exfiltration.

  • Won't ship a laptop agent.

    Hardening goes through MDM payloads (Jamf, Intune). No daemon, no kernel module.

  • Won't manage vendor SBOMs.

    TPRM platforms ingest those. We produce SBOMs for what flows through the proxy.

Why it exists

Four things change when policy runs on the install path

01

One Rego rule. Six surfaces.

Write the rule once. It fires at PR, install, K8s admission, and runtime. Same input schema, same audit row. No drift between tools. No reimplementing the same rule four times.

Learn more →
02

Stop the install; skip the incident report

SCA tells you a CVE landed yesterday. Chainsaw refuses the install today. 25 supply-chain signals (install-script exfiltration, maintainer takeover, publish-velocity bursts, transitive-risk closure) run on the same request, on every tier. Depth on npm/pip/maven/nuget/cargo/docker/go; breadth across 16 ecosystems.

Learn more →
03

Turn on blocking without breaking a build

Every rule ships in monitor mode. Run it for a week. See exactly which installs would have failed, in which repo, on which CI job. Flip to enforce one rule at a time, when you're ready.

Learn more →
04

Built for the AI supply chain

Claude Code, Cursor, and Windsurf install packages on their own. The same proxy applies the same policy, with AI-agent credentials as a first-class type. Policy reaches the AI artifacts too: dangerous pickle opcodes in model weights, model-card injection, agent-tool capability declarations, MCP servers without provenance, all refused on the same path.

Learn more →

How it operates

Five surfaces, one decision.

Every install, MCP-agent prompt, and admission decision lands as a signed audit row. One Rego floor at the hub; spokes inherit and override within bounds you set.

  • left-pad@1.3.1

    ci · npm

    REFUSED

  • cryptography==42.0.0

    dev · pip

    MONITOR

  • @chainsaw/sdk@2.1.0

    ci · npm

    ALLOWED

  • log4j-core@2.17.2

    k8s · maven

    REFUSED

Auto-sorting install queue · refuses on the install path

mcp · agent prompt

consulting 25 signals · signed bundle

MCP-agent prompt · consulted before install

hub → 4 spokes

  • BU-EU
  • BU-APAC
  • BU-AMER
  • BU-EMEA

Hub-and-spoke federation · live spoke health

25 supply-chain signals · live

maintainer takeover · 6dworm burst · npmhidden unicode · pipKEV-listed CVE · log4jinstall-script exfil · cipublish velocity anomalytyposquat · rqeuestssignature mismatchdeleted-author republishpost-install network callmaintainer takeover · 6dworm burst · npmhidden unicode · pipKEV-listed CVE · log4jinstall-script exfil · cipublish velocity anomalytyposquat · rqeuestssignature mismatchdeleted-author republishpost-install network call

25 supply-chain signals beyond CVE

signed audit row

  • ts2026-05-26T09:14:22Z
  • actorci@platform-eu
  • packagerequests@2.32.3
  • signalmaintainer takeover
  • verdictrefused
  • scopeBU-EU · prod
signed · ed25519 · siem-bound

One signed audit row · same export for SOC 2 + ISO 27001

See it in action

One config line, one decision — at install time.

Your team's .npmrc points at Chainsaw — that's the whole setup. No agent, no certificate, no MITM proxy on your network. When a developer tries to install a typosquat, Chainsaw evaluates it against policy before the registry sees it and refuses. The install never happens.

Quickstart

Your first block, the first time you run install

Every new org ships with two demo policies enabled — block known malware, block suspected typosquats. Sign up, copy your credentials, point npm at us, run a single install, and feel Chainsaw refuse it. Edit or delete the demo rules once you've seen them fire.

  1. Sign up

    Free tier, no credit card. Takes 30 seconds.

    Start free →

  2. Copy your client credentials

    Dashboard → Access → Client credentials. You'll get a CLIENT_ID and CLIENT_SECRET — the secret is shown once, so copy it now.

  3. Point npm at Chainsaw

    One config line. No agent, no certificate, no MITM proxy on your network. Paste your credentials into the URL:

    npm config set registry https://CLIENT_ID:CLIENT_SECRET@chain305.com/chainproxy/repository/@default/npmjs/

  4. Run the demo install

    Pre-seeded demo policies block known-malicious and typosquat packages on every new org. Try one and watch it refuse.

    npm install lodahs

Need the full walkthrough (Docker, pip, custom registries)? See the full quickstart guide →

Every install, one audit row

One audit row per install. SOC 2 and ISO 27001 use the same export.

Rule fired, reason, repo, CI job, user, timestamp. Filter the stream, drill into a block, ship to your SIEM.

Install path

chainsaw-proxy · live decisions

  • @chainsaw/express@4.21.0

    developer · npm · cache hit · signed bundle

    ALLOWED

  • requests==2.32.3

    ci · pip · maintainer takeover · 6d old

    REFUSED

  • axios@1.7.2

    developer · npm · publish velocity anomaly

    INSPECTING

  • actions/checkout@v4

    ci · github actions · policy floor · KEV clear

    ALLOWED
+47 refused · maintainer takeover+12 monitor · publish velocity+3 quarantined · hidden unicode+21 refused · install-script exfil+8 allowed · KEV clear+5 refused · KEV-listed CVE+47 refused · maintainer takeover+12 monitor · publish velocity+3 quarantined · hidden unicode+21 refused · install-script exfil+8 allowed · KEV clear+5 refused · KEV-listed CVE

One audit row per install · refuses on the install path

Deploy where your compliance lets you

SaaS, your VPC, or fully air-gapped. Same binary.

The Option B hybrid runs the data plane inside your network and pulls only signed threat-intel feeds outbound — no customer telemetry crosses the boundary. SOC 2, HIPAA, FedRAMP, and EU data-residency programs all clear without a separate enterprise SKU.

  • Managed SaaS

    We host the stack. HTTPS endpoint, admin URL, SSO. Lowest-effort path for teams without compliance constraints.

  • Your VPC (data plane on-prem)

    Customer-controlled Postgres, blob store, dashboard, audit logs. Vendor-managed signed-feed bundles pull one-way; no inbound connection from us, ever.

  • Air-gapped

    CHAINSAW_OFFLINE=1 disables every phone-home path. Sideload intelligence on the cadence your one-way diode allows. Same Rego, same audit row.

See full deployment models →

One product, four jobs

Same install-path firewall. Pick the view that fits your job.

If you run AppSec

Cut the window between disclosure and defence. A new CVE drops, you push one policy edit, and the affected version stops installing everywhere. No coordinated upgrade PRs. Supply-chain attacks SCA misses (install scripts, maintainer takeover, worm bursts) run on the same path.

  • The four scoring systems we let you block on, and why we refuse to make CVSS the default
  • All 25 signals on every tier, including the ones SCA tools quietly omit on free
  • Why the audit row carries the override path, not just the failure reason — and what stops getting asked in the post-incident review
See how →

If you're a developer evaluating this

Your .npmrc and pip.conf pick up a token. Everything else stays the same. When a package passes policy, your install completes exactly as it does today. When it fails, the error tells you what rule fired and who can unblock it.

  • What changes in your repo when you turn this on: one line in .npmrc. That's the whole diff.
  • The single line that makes Yarn workspaces, pnpm, and Turbo behave identically — and the one CI step you can probably delete after
  • Cache means CI usually gets faster, not slower. Measured, not promised.
See how →

If you own DevSecOps or Compliance

Policy on the install path, evidence in the dashboard. The same license, version, and provenance rules apply in CI, on laptops, and in Dockerfiles. Audit trails export straight to SOC 2, ISO 27001, and HIPAA reviews without a separate collection step.

  • The SBOM auditors actually accept. Generated at install time, not stitched together at audit time.
  • Per-tenant rules with exception expiry. No permanent allow-list rot.
  • The three SIEM exports auditors stopped asking follow-up questions about — and why a CSV download was never one of them
See how →

If you're in Enterprise IT

One deployment, every engineering org inherits the baseline. Teams layer local rules on top without a central-vs-team fight. Managed SaaS, your own cloud, or fully air-gapped: same binary, same API, same policy format.

  • Same binary in SaaS, your VPC, or fully air-gapped. The deployment model isn't a different product.
  • SAML, OIDC, and SCIM on Unlimited. No SSO tax dressed up as a feature.
  • Why hub-and-spoke inheritance ends the central-vs-team fight — and what the team lead actually sees before an override ships
See how →

Objections, handled

Common questions

How is Chainsaw different from Cloudsmith, JFrog, or Nexus?

Those host packages. Chainsaw refuses them on the install path. There's no migration — your developers keep pulling from npm, PyPI, Maven, Docker, and the rest, and Chainsaw decides which requests get through. Run both if you like: your registry hosts internal artifacts, Chainsaw is the policy layer on every public-registry install. See /vs-artifact-managers/ for the full diff.

How is Chainsaw different from Socket, Snyk, or Sonatype?

Those report. Socket comments on the PR; SCAs file dashboard findings. Chainsaw refuses on the install path, before bytes land. The same 25 signals — install scripts, maintainer takeover, worm bursts, hidden Unicode, AI pickle ops — fire on every tier including free, and the same Rego rule fires at PR, install, K8s admission, and runtime. Run both if you want; /vs-sca/ has the per-ecosystem signal map and the full diff.

Will this break our existing CI?

Not if you start in monitor mode. Every rule logs decisions without blocking, so you measure impact and add exceptions before you flip to enforce. Repeat installs also hit our cache, so CI usually gets faster, not slower.

What happens if Chainsaw itself goes down?

In monitor mode, Chainsaw fails open with an audit record so installs never break. In enforce mode, the default is fail-closed, but you can flip to fail-open with cache-only fallback per policy. The cache continues to serve previously-allowed installs during a full outage.

Does this work with monorepos, Yarn workspaces, pnpm?

Yes. Chainsaw proxies the registry; your workspace layout is untouched. Turbo, Nx, Lerna, Yarn workspaces, and pnpm workspaces all work without modification.

What does it cost?

Free to start (500 MB / 1 GB / 3 users). Pro at $149/mo for teams rolling out in production. Unlimited at $1,199/mo for orgs that need enterprise integrations or on-prem. See /pricing/ for the full breakdown.

Are webhooks an enterprise-only feature?

No. Webhooks are on every plan. Only third-party integrations (SIEM, SCIM) and on-prem deployment are gated to Unlimited.

Can we run this on-prem or air-gapped?

Yes on the Unlimited plan. The CLI can bake the server URL at build time so air-gapped users never see a public origin. For custom deployments, book a 30-minute call.

What about SSO — which plan do I need?

SAML, OIDC, and SCIM provisioning are Unlimited-only. Password plus TOTP works on Free and Pro.

Ready to see what you'd be blocking?

One session now, or the incident report later.

Free tier is permanent. Point one package manager at Chainsaw, run monitor mode for a week, read the report of what would have been refused. If it's useful, upgrade. If it isn't, you spent one session instead of the weekend you'd spend writing the postmortem.

Start free Watch a real block →