Book a demo Get started

Features

Everything on the install path. Nothing bolted on after.

Every capability below runs on the same proxy request — same policy, same audit row. Nothing here is a separate scanner stitched in over an API.

What you'll use most

8 capabilities the AppSec team reaches for first

The full feature set covers 33 capabilities across five surfaces. These 8 are the ones an AppSec lead scans for in the first ten seconds — registry coverage, the vulnerability gate that replaces an SCA, the install-time attack patterns SCA tools can't see, the SBOM you can hand to procurement, and the governance trail that proves it. Everything else is below in All features.

  1. Multi-registry proxy across 16 ecosystems

    Chainsaw sits between your developers and the upstream registries. npm (plus pnpm / yarn / bun on npm semantics), pip, Maven, Gradle, Cargo, Go modules, Composer, NuGet, RubyGems, Swift, CocoaPods, Docker, Hugging Face, APT, Yum, and DNF all flow through. Developers and CI keep using the tools they know.

    Try it →

  2. Vulnerability gating by CVSS, EPSS, and KEV

    Block on CVSS score, EPSS exploit probability, CISA KEV membership, or any combination. Log4j went from disclosure to global block in the time it takes to push one policy edit.

    Try it →

  3. Install-script exfiltration

    Flags packages whose install hooks (npm preinstall, pip setup.py, Cargo build.rs, Composer lifecycle) run remote fetches or decode base64 payloads. This is the PhantomRaven attack shape and the precise pattern Chainsaw refuses before the hook fires.

    Try it →

  4. Maintainer-account takeover

    Compares the current maintainer set of a package against its history. A surprise publisher on a popular dependency — the pattern behind the Axios compromise — blocks until reviewed.

    Try it →

  5. Typosquat detection across fourteen ecosystems

    BK-tree and homoglyph matchers against popular packages, with word-reorder detection for multi-token names. Go, CocoaPods, and GitHub Actions now covered — not just npm.

    Try it →

  6. Publish-velocity worm bursts

    A rolling 24-hour counter per publisher. When one compromised account starts pushing dozens of tainted versions in a day — the Shai-Hulud pattern — the burst trips the rule before your build runs.

    Try it →

  7. CycloneDX SBOM export per repository

    Generate a CycloneDX 1.6 SBOM for any repo on demand. Export via dashboard or API; wire it into procurement, audit, and vendor-review workflows without a separate scanner.

    Try it →

  8. Governance & audit by default

    Every install — allowed, monitored, or blocked — leaves a signed audit row with rule, reason, user, repo, CI job, and timestamp. Policy changes route through Billy's human-approval flow; exceptions carry a reviewer, a reason, and an expiry. SOC 2, ISO 27001, HIPAA, and FedRAMP reviewers read the same export. No separate evidence-collection step.

    Try it →

Data sources

The feeds Chainsaw evaluates against

Every install is scored against the same intelligence — first-party advisory databases for known CVEs, plus the OpenSSF-curated malicious-package and malware feeds for the attack classes CVE-only scanners miss. Signed bundles refresh in-process; air-gapped installs sideload the same artifact.

< 15 min Median NVD publish → block-list propagation

  • OSV

    Aggregated vulnerability records across npm, PyPI, Maven, Go, Cargo, NuGet, RubyGems, Packagist, Hugging Face, and more.

  • NVD

    Canonical CVE metadata, CVSS v3.1 / v4, CWE classification, and CPE matching.

  • GHSA

    GitHub Security Advisories with ecosystem-precise version ranges, often live ahead of NVD.

  • CISA KEV

    Known-exploited vulnerability catalog — the floor we recommend every customer block on.

  • Trivy DB

    Per-layer container CVE database for OCI image enforcement.

  • OpenSSF malicious-packages

    Curated malicious-package feed across npm, PyPI, RubyGems, Crates, Packagist, NuGet, and Hugging Face.

  • OpenSSF malware

    Active-malware index used for digest and name+tag matching on Docker and OCI registries.

  • Bundled Hugging Face malware feed

    Native HF coordinate-match feed shipped in-process — closes the gap where public SCA indexes lag on model-repo malware.

  • Linux distro CVE streams

    Per-distro CVE detectors for Alpine, Debian, Red Hat, and Oracle Linux. Modular feeds — each stream updates independently of upstream OSV.

All features

The complete list, grouped by surface

Every capability, organized the way the product is organized. Condition and flag names live in /product/policy where an engineer actually needs them.

Proxy & performance

The install path, in front of every registry

One transparent proxy for npm, PyPI, Maven, Docker, and a dozen more. No client-side changes, no migration, no new lockfile.

  1. Multi-registry proxy across 16 ecosystems

    Chainsaw sits between your developers and the upstream registries. npm (plus pnpm / yarn / bun on npm semantics), pip, Maven, Gradle, Cargo, Go modules, Composer, NuGet, RubyGems, Swift, CocoaPods, Docker, Hugging Face, APT, Yum, and DNF all flow through. Developers and CI keep using the tools they know.

  2. Cache-backed repeat installs

    Every artifact that passes policy is stored in a content-addressed blob store. Repeat installs skip the upstream round-trip and ship from your cache, so CI usually gets faster once Chainsaw is in the path, not slower.

  3. Checksum fail-closed enforcement

    Every upstream fetch is audited against the declared hash. A silently swapped mirror can't reach the build. Run in log, quarantine, or block mode; Chainsaw distinguishes a real mismatch from an upstream that never published a hash.

Core policy

Four rule families, composed how you want

Chainsaw evaluates each install against the conditions you care about. Mix and match; every rule can run in monitor, block, or quarantine mode.

  1. Vulnerability gating by CVSS, EPSS, and KEV

    Block on CVSS score, EPSS exploit probability, CISA KEV membership, or any combination. Log4j went from disclosure to global block in the time it takes to push one policy edit.

  2. License allow- and block-lists

    Enforce SPDX license policy across every ecosystem. GPL-3.0 in a commercial product, AGPL on the client, or unknown licenses you need to review — each gets its own rule.

  3. Version pinning and release-age rules

    Require a minimum release age before a version is installable. Pin majors. Block pre-release tags from production builds. Cuts exposure to publish-then-exploit attacks without blocking the whole ecosystem.

  4. Provenance and SLSA attestation checks

    Require npm provenance, Sigstore signatures, Go's sumdb, or Maven's GPG. Chainsaw understands each ecosystem's trust anchor and exposes the result the same way in policy.

Supply-chain attack signals

Up to 25 signals your SCA tool doesn't check

CVEs and license checks don't catch compromised maintainers, install-script exfiltration, or worm bursts. These rules do. Every one evaluates at install time, not after your build finishes. Depth on npm/pip/maven/nuget/cargo/docker/go; breadth across 16 ecosystems. Per-signal support is mapped in POLICY_PROXY_MATRIX.md — every cell honest, no blanket claims. Up to 25 signals on fully-supported ecosystems.

  1. Install-script exfiltration

    Flags packages whose install hooks (npm preinstall, pip setup.py, Cargo build.rs, Composer lifecycle) run remote fetches or decode base64 payloads. This is the PhantomRaven attack shape and the precise pattern Chainsaw refuses before the hook fires.

  2. Maintainer-account takeover

    Compares the current maintainer set of a package against its history. A surprise publisher on a popular dependency — the pattern behind the Axios compromise — blocks until reviewed.

  3. Version-number anomalies

    Catches backdated publish timestamps, semver regressions, and multi-major skips used to sneak compromised versions under a higher constraint. Works on any ecosystem with SemVer.

  4. Typosquat detection across fourteen ecosystems

    BK-tree and homoglyph matchers against popular packages, with word-reorder detection for multi-token names. Go, CocoaPods, and GitHub Actions now covered — not just npm.

  5. Hidden characters in package

    Refuses packages whose source includes invisible characters, bidi-override sequences, or tag characters. Closes the GlassWorm and Trojan Source attack class without running the code.

  6. Publish-velocity worm bursts

    A rolling 24-hour counter per publisher. When one compromised account starts pushing dozens of tainted versions in a day — the Shai-Hulud pattern — the burst trips the rule before your build runs.

  7. Reserved-namespace starter packs

    Dependency confusion works because attackers publish your internal package names on the public registry first. One click applies a starter pack that reserves your namespaces across every ecosystem you use. No Birsan enumeration gets through.

  8. Docker malware feed

    Matches container pulls against a Docker-native malware feed by digest and by name-plus-tag. Closes the OpenSSF index gap for container images, which the public SCA feeds miss.

  9. Per-layer image enforcement

    Walks every image layer with Trivy under the hood. Reads dpkg, RPM (BDB + ndb + sqlite), and apk databases inside each layer, follows multi-arch indexes and digest refs, and handles distroless status.d layouts. On by default — new orgs get container depth without flipping a flag. A clean image tag no longer guarantees a clean image.

  10. OS-package hash-chain provenance

    APT InRelease and Yum/DNF repomd.xml.asc verification. A mirror that tampers with a package between publish and your fetch fails the chain. Trust roots are configurable; Debian and Fedora keyrings ship baked in.

  11. Linux distro CVE detection

    Native CVE detectors for Alpine, Debian, Red Hat, and Oracle Linux — distinct from upstream OSV. Each distro stream updates on its own cadence so a vendor advisory lands as a block-list entry the same hour the distro publishes it, not whenever OSV next syncs.

  12. Repo liveness and ownership match

    Unmaintained repos with a live npm publisher are a compromise waiting to happen. Chainsaw scores each package on repo activity and ownership match; you pick the threshold under which installs are blocked or flagged.

  13. Checksum fail-closed

    Also called out above — when it comes to supply-chain attack surface, refusing a mismatched artifact is often the last line. Configurable per-ecosystem to log, quarantine, or block.

Evidence & integration

Everything that passes leaves a trail

Audit logs, SBOMs, webhooks, and an MCP server, so your other systems see the same decisions the proxy makes.

  1. CycloneDX SBOM export per repository

    Generate a CycloneDX 1.6 SBOM for any repo on demand. Export via dashboard or API; wire it into procurement, audit, and vendor-review workflows without a separate scanner.

  2. Inventory you didn't have to assemble

    Every install through the proxy lands in a queryable inventory — by package, by client, by ecosystem. When the next CVE drops, ask 'who has it?' and get an answer in seconds, not after a scanner re-run.

  3. Structured audit log

    Every install decision — allowed, blocked, or monitored — gets logged with user, repo, rule, and reason. Filter by ecosystem, team, or time range from the dashboard, or stream the whole thing to your SIEM.

  4. Webhooks on every plan

    Post to any endpoint when an install is blocked, when a policy changes, or when a trust-score threshold is crossed. Five per user, included on Free. No enterprise gate.

  5. MCP server for AI coding agents

    Claude Code, Cursor, and Windsurf can query policy state, check a package before they suggest it, and propose policy edits that route through human approval. Same RBAC as a human API key.

  6. SIEM stream to leading SIEMs (Splunk, Sentinel, QRadar, and more via syslog/HEC)

    On Unlimited, the audit log ships as structured events to your existing SIEM. Splunk HEC, Microsoft Sentinel (CEF over TLS syslog), and IBM QRadar (CEF over TLS syslog) are supported out of the box, and any SIEM that accepts syslog/HEC or a webhook can sink the same stream — Elastic, Sumo Logic, Chronicle, Datadog, and the rest.

  7. Governance & audit by default

    Every install — allowed, monitored, or blocked — leaves a signed audit row with rule, reason, user, repo, CI job, and timestamp. Policy changes route through Billy's human-approval flow; exceptions carry a reviewer, a reason, and an expiry. SOC 2, ISO 27001, HIPAA, and FedRAMP reviewers read the same export. No separate evidence-collection step.

  8. Billy approval workflow

    Policy proposals — whether drafted by a human or an AI agent via MCP — route through Billy, the in-product approval queue. Reviewers see diff, blast radius, and which installs the change would have affected over the last week. Nothing flips to enforce without a human signing off.

Identity & deployment

Runs where you run

Managed SaaS, your own cloud, or fully air-gapped. Every deployment uses the same binary and the same API.

  1. Browser OAuth login with Turnstile

    CLI and dashboard both use the same browser-based login. Device-code flow for headless shells, Turnstile on the auth page to keep bots out. Nothing to paste in from an email.

  2. Password plus TOTP on every plan

    Email, password, and TOTP out of the box. Good enough for most teams; a starting point for the ones that graduate to SSO.

  3. SAML, OIDC, and SCIM on Unlimited

    Okta, Azure AD, Google Workspace, Auth0 — any SAML 2.0 or OIDC provider works without a custom integration. SCIM 2.0 auto-provisions and auto-deprovisions.

  4. Cross-platform signed CLI binaries

    Chainsaw ships signed binaries for macOS, Linux, and Windows. Signature verification is on by default; a tampered download refuses to run.

  5. Self-hosted or air-gapped deployment

    One container, one database, optional Redis for scale. Runs in your cloud or fully disconnected. The server URL can be baked into the CLI at build time so air-gapped users never see a public origin.

FAQ

Questions, answered

Does Chainsaw support every package manager we use?

Sixteen ecosystems are in the proxy today: npm (covers pnpm, yarn, bun), pip / PyPI (covers poetry, uv), Maven, Gradle, Cargo, Go modules, Composer, NuGet, RubyGems, Swift, CocoaPods, Docker, Hugging Face, APT, Yum, and DNF. Each one runs transparently. No wrapper scripts, no lockfile changes.

How does policy enforcement work at proxy time?

Chainsaw intercepts the resolve request before it reaches the upstream registry, evaluates your active rules against the package, and either passes, warns, or blocks the response inside the normal install flow. No post-install CI scanner, no lockfile rewriting.

Which supply-chain attacks does Chainsaw catch that SCA tools miss?

Install-script exfiltration (PhantomRaven-shaped), maintainer-account takeover (Axios-shaped), version-number anomalies and backdated publishes, hidden Unicode (GlassWorm, Trojan Source), publish-velocity bursts (Shai-Hulud), reserved-namespace dependency confusion (Birsan), Docker malware feed matching, bundled Hugging Face malware feed, per-layer image enforcement, APT/Yum/DNF hash-chain provenance, Linux distro CVE detection (Alpine, Debian, Red Hat, Oracle Linux), typosquat across fourteen ecosystems, repo-liveness plus ownership match, and checksum fail-closed. See the policy page for how each one composes in a rule.

Does this work with monorepos, Yarn workspaces, and pnpm?

Yes. Chainsaw proxies the registry; your workspace layout is untouched. Turbo, Nx, Lerna, Yarn workspaces, and pnpm workspaces all work without modification.

How much latency does the proxy add per install?

On a cache hit, the proxy responds from local blob storage and usually beats the public registry. On a cold fetch, the added overhead is the policy evaluation itself — low single-digit milliseconds for most rules, with GeoIP lookups and vulnerability joins being the slowest.

What happens if Chainsaw itself goes down?

In monitor mode, Chainsaw fails open with an audit record so installs never break. In enforce mode, the default is fail-closed, but you can flip to fail-open with cache-only fallback per policy. The cache continues to serve previously-allowed installs during a full outage.

Can I start in monitor mode before switching to block?

Yes. Every rule supports monitor — it logs what would have been blocked without stopping the install. Most teams run monitor for one to two weeks, tune exceptions, then flip rule by rule. The transition is a single policy edit; no redeploy.

What does the MCP server expose to AI agents?

Read-only queries against policy state, packages, and the audit log by default. With the manage-propose preset, agents can draft policy edits that route through the same approval flow a human uses. No mutation escapes RBAC.

How is the SBOM generated?

Chainsaw assembles the bill of materials from the packages it has seen transit the proxy for each repository. Export via dashboard or API; the output is CycloneDX 1.6 JSON ready for procurement or audit.

Which SSO providers are supported?

Any SAML 2.0 or OIDC-compliant identity provider. Okta, Azure AD, Google Workspace, Auth0, Keycloak all work without custom code. SCIM 2.0 provisioning ships with it on Unlimited.

Ready to roll out?

Put Chainsaw on the install path

Start free, switch to blocking when you're ready, or chat with us about custom deployments.

Get started Talk to sales