Features

Every verdict fires on the install path — before the hook runs, not in a post-build scan.

Every capability below runs on the same proxy request — same policy, same audit row. Nothing here is a separate scanner stitched in over an API after the fact.

What you'll use most

8 capabilities the AppSec team reaches for first

The full feature set covers 33 capabilities across five surfaces. These 8 are the ones an AppSec lead scans for in the first ten seconds — registry coverage, the vulnerability gate that replaces an SCA, the install-time attack patterns SCA tools can't see, the SBOM you can hand to procurement, and the governance trail that proves it. Everything else is below in All features.

  1. Multi-registry proxy across 16 ecosystems

    Chainsaw sits between your developers and the upstream registries. npm (plus pnpm / yarn / bun on npm semantics), pip, Maven, Gradle, Cargo, Go modules, Composer, NuGet, RubyGems, Swift, CocoaPods, Docker, Hugging Face, APT, Yum, and DNF all flow through. Developers and CI keep using the tools they know.

    Try it →
  2. Vulnerability gating by CVSS, EPSS, and KEV

    Block on CVSS score, EPSS exploit probability, CISA KEV membership, or any combination. Log4j went from disclosure to global block in the time it takes to push one policy edit.

    Try it →
  3. Install-script exfiltration

    Flags packages whose install hooks (npm preinstall, pip setup.py, Cargo build.rs, Composer lifecycle) run remote fetches or decode base64 payloads. This is the PhantomRaven attack shape and the precise pattern Chainsaw refuses before the hook fires.

    Try it →
  4. Maintainer-account takeover

    Compares the current maintainer set of a package against its history. A surprise publisher on a popular dependency — the pattern behind the Axios compromise — blocks until reviewed.

    Try it →
  5. Typosquat detection across fifteen ecosystems

    BK-tree and homoglyph matchers against popular packages, with word-reorder detection for multi-token names. Go, CocoaPods, and GitHub Actions now covered — not just npm.

    Try it →
  6. Publish-velocity worm bursts

    A rolling 24-hour counter per publisher. When one compromised account starts pushing dozens of tainted versions in a day — the Shai-Hulud pattern — the burst trips the rule before your build runs.

    Try it →
  7. CycloneDX SBOM export per repository

    Generate a CycloneDX 1.6 SBOM for any repo on demand. Export via dashboard or API; wire it into procurement, audit, and vendor-review workflows without a separate scanner.

    Try it →
  8. Governance & audit by default

    Every install — allowed, monitored, or blocked — leaves a signed audit row with rule, reason, user, repo, CI job, and timestamp. Policy changes route through Billy's human-approval flow; exceptions carry a reviewer, a reason, and an expiry. Whichever framework your auditor works from — SOC 2, ISO 27001, HIPAA — they read the same export. No separate evidence-collection step.

    Try it →

Data sources

The feeds Chainsaw evaluates against

Every install is scored against the same intelligence — OSV, NVD, GHSA, and CISA KEV for known CVEs, FIRST EPSS for exploit probability, Aqua Trivy DB for container layers, OpenSSF Scorecard for project health, and the OpenSSF-curated malicious-package and malware feeds for the attack classes CVE-only scanners miss. Each feed lists its refresh cadence below, so you can reason about how fast a freshly disclosed CVE becomes a live block. Signed bundles refresh in-process; air-gapped installs sideload the same artifact on the cadence the diode allows.

minutes NVD publish → block-list propagation
  • OSV

    Continuous (hourly sync)

    Aggregated vulnerability records across npm, PyPI, Maven, Go, Cargo, NuGet, RubyGems, Packagist, Hugging Face, and more.

  • NVD

    Continuous (hourly sync)

    Canonical CVE metadata, CVSS v3.1 / v4, CWE classification, and CPE matching.

  • GHSA

    Continuous (hourly sync)

    GitHub Security Advisories with ecosystem-precise version ranges, often live ahead of NVD.

  • CISA KEV

    Daily

    Known-exploited vulnerability catalog — the floor we recommend every customer block on.

  • FIRST EPSS

    Daily

    Exploit Prediction Scoring System — daily exploit-probability scores so you can gate on real-world exploitation likelihood, not just CVSS severity.

  • Trivy DB

    Every 6 hours

    Per-layer container CVE database for OCI image enforcement.

  • OpenSSF Scorecard

    Weekly

    Project-health signals (maintenance, branch protection, signed releases, dependency hygiene) feeding the deprecated / archived / stale maintenance gate.

  • OpenSSF malicious-packages

    Continuous (hourly sync)

    Curated malicious-package feed across npm, PyPI, RubyGems, Crates, Packagist, NuGet, and Hugging Face.

  • OpenSSF malware

    Continuous (hourly sync)

    Active-malware index used for digest and name+tag matching on Docker and OCI registries.

  • Bundled Hugging Face malware feed

    Per release + signed bundle

    Native HF coordinate-match feed shipped in-process — closes the gap where public SCA indexes lag on model-repo malware.

  • Linux distro CVE streams

    Per-distro (independent)

    Per-distro CVE detectors for Alpine, Debian, Red Hat, and Oracle Linux. Modular feeds — each stream updates independently of upstream OSV.

Billy · approval agent

Billy, the approval surface for humans and AI agents

Billy is the in-product approval queue that sits between a proposed change and enforcement. Every policy edit and exception request — whether a human drafts it in the dashboard or an AI coding agent drafts it over MCP — lands in Billy first. Nothing flips to enforce, and no exception goes live, until a human owner signs off inside the SLA window.

Agents propose, humans decide

Claude Code, Cursor, and Windsurf reach Chainsaw through the MCP server. With the manage-propose preset, an agent can draft a policy change or request an exception — but it routes through the exact same Billy queue a human uses. No mutation escapes RBAC, and no agent can self-approve.

Blast radius before approval

Each Billy entry shows the diff, the reviewer identity, the written reason, the scope (one repo, one BU, or wider), and a blast-radius preview computed against live inventory — how many other installs the change would have affected over the last week.

Ownership-routed, SLA-tracked

Billy reads the repo's ownership glob (CODEOWNERS or BU mapping) and routes each request to the team that owns the rule, not a central catch-all queue. Unacknowledged requests ping again per SLA and escalate; every transition writes a signed audit row.

Decoupled from enforcement

If Billy is unreachable the exception API degrades to read-only and pending requests queue locally — nothing fails-open silently. mode: warn shifts to advisory; mode: block keeps refusing. The proxy never waits on Billy to make a verdict.

All features

The complete list, grouped by surface

Every capability, organized the way the product is organized. Condition and flag names live in /product/policy where an engineer actually needs them.

Proxy & performance

The install path, in front of every registry

One transparent proxy for npm, PyPI, Maven, Docker, and a dozen more. No client-side changes, no migration, no new lockfile.

  1. Multi-registry proxy across 16 ecosystems

    Chainsaw sits between your developers and the upstream registries.

    How it works

    npm (plus pnpm / yarn / bun on npm semantics), pip, Maven, Gradle, Cargo, Go modules, Composer, NuGet, RubyGems, Swift, CocoaPods, Docker, Hugging Face, APT, Yum, and DNF all flow through. Developers and CI keep using the tools they know.

  2. Cache-backed repeat installs

    Every artifact that passes policy is stored in a content-addressed blob store.

    How it works

    Repeat installs skip the upstream round-trip and ship from your cache, so CI usually gets faster once Chainsaw is in the path, not slower.

  3. Checksum fail-closed enforcement

    Every upstream fetch is audited against the declared hash.

    How it works

    A silently swapped mirror can't reach the build. Run in log, quarantine, or block mode; Chainsaw distinguishes a real mismatch from an upstream that never published a hash.

Core policy

The rules that decide the install, composed how you want

Every install is refused or allowed against the conditions you set — the four core gates below, plus client-context and expiring exceptions. Mix and match; every rule ships in monitor mode first, then flips to block or quarantine.

  1. Vulnerability gating by CVSS, EPSS, and KEV

    Block on CVSS score, EPSS exploit probability, CISA KEV membership, or any combination.

    How it works

    Log4j went from disclosure to global block in the time it takes to push one policy edit.

  2. License allow- and block-lists

    Enforce SPDX license policy across every ecosystem.

    How it works

    GPL-3.0 in a commercial product, AGPL on the client, or unknown licenses you need to review — each gets its own rule.

  3. Version pinning and release-age rules

    Require a minimum release age before a version is installable.

    How it works

    Pin majors. Block pre-release tags from production builds. Cuts exposure to publish-then-exploit attacks without blocking the whole ecosystem.

  4. Provenance and SLSA attestation checks

    Require npm provenance, Sigstore signatures, Go's sumdb, or Maven's GPG.

    How it works

    Chainsaw understands each ecosystem's trust anchor and exposes the result the same way in policy.

Supply-chain attack signals

A 25-signal catalogue your SCA tool doesn't check

CVEs and license checks don't catch compromised maintainers, install-script exfiltration, or worm bursts. These rules do. Every one evaluates at install time, not after your build finishes. The catalogue runs to 25 signals: a baseline set lands on every ecosystem, and the deepest stacks — up to roughly a dozen signals — apply on npm, PyPI, and RubyGems, with strong coverage on Maven, NuGet, Cargo, Go, and Docker. Per-signal, per-ecosystem support is mapped honestly in our per-ecosystem coverage matrix — no blanket claims. The engine that runs these signals is open source; you can read exactly how a decision is made at github.com/chain305/chainsaw-core.

  1. Install-script exfiltration

    Flags packages whose install hooks (npm preinstall, pip setup.py, Cargo build.rs, Composer lifecycle) run remote fetches or decode base64 payloads.

    How it works

    This is the PhantomRaven attack shape and the precise pattern Chainsaw refuses before the hook fires.

  2. Maintainer-account takeover

    Compares the current maintainer set of a package against its history.

    How it works

    A surprise publisher on a popular dependency — the pattern behind the Axios compromise — blocks until reviewed.

  3. Version-number anomalies

    Catches backdated publish timestamps, semver regressions, and multi-major skips used to sneak compromised versions under a higher constraint. Works on any ecosystem with SemVer.

  4. Typosquat detection across fifteen ecosystems

    BK-tree and homoglyph matchers against popular packages, with word-reorder detection for multi-token names.

    How it works

    Go, CocoaPods, and GitHub Actions now covered — not just npm.

  5. Hidden characters in package

    Refuses packages whose source includes invisible characters, bidi-override sequences, or tag characters.

    How it works

    Closes the GlassWorm and Trojan Source attack class without running the code.

  6. Publish-velocity worm bursts

    A rolling 24-hour counter per publisher.

    How it works

    When one compromised account starts pushing dozens of tainted versions in a day — the Shai-Hulud pattern — the burst trips the rule before your build runs.

  7. Reserved-namespace starter packs

    Dependency confusion works because attackers publish your internal package names on the public registry first.

    How it works

    One click applies a starter pack that reserves your namespaces across every ecosystem you use. No Birsan enumeration gets through.

  8. Docker malware feed

    Matches container pulls against a Docker-native malware feed by digest and by name-plus-tag.

    How it works

    Closes the OpenSSF index gap for container images, which the public SCA feeds miss.

  9. Per-layer image enforcement

    Walks every image layer with Trivy under the hood.

    How it works

    Reads dpkg, RPM (BDB + ndb + sqlite), and apk databases inside each layer, follows multi-arch indexes and digest refs, and handles distroless status.d layouts. On by default — new orgs get container depth without flipping a flag. A clean image tag no longer guarantees a clean image.

  10. OS-package hash-chain provenance

    APT InRelease and Yum/DNF repomd.xml.asc verification.

    How it works

    A mirror that tampers with a package between publish and your fetch fails the chain. Trust roots are configurable; Debian and Fedora keyrings ship baked in.

  11. Linux distro CVE detection

    Native CVE detectors for Alpine, Debian, Red Hat, and Oracle Linux — distinct from upstream OSV.

    How it works

    Each distro stream updates on its own cadence so a vendor advisory lands as a block-list entry the same hour the distro publishes it, not whenever OSV next syncs.

  12. Repo liveness and ownership match

    Unmaintained repos with a live npm publisher are a compromise waiting to happen.

    How it works

    Chainsaw scores each package on repo activity and ownership match; you pick the threshold under which installs are blocked or flagged.

  13. Checksum fail-closed

    Also called out above — when it comes to supply-chain attack surface, refusing a mismatched artifact is often the last line. Configurable per-ecosystem to log, quarantine, or block.

Evidence & integration

Everything that passes leaves a trail

Audit logs, SBOMs, webhooks, and an MCP server, so your other systems see the same decisions the proxy makes.

  1. CycloneDX SBOM export per repository

    Generate a CycloneDX 1.6 SBOM for any repo on demand.

    How it works

    Export via dashboard or API; wire it into procurement, audit, and vendor-review workflows without a separate scanner.

  2. Inventory you didn't have to assemble

    Every install through the proxy lands in a queryable inventory — by package, by client, by ecosystem.

    How it works

    When the next CVE drops, ask 'who has it?' and get an answer in seconds, not after a scanner re-run.

  3. Structured audit log

    Every install decision — allowed, blocked, or monitored — gets logged with user, repo, rule, and reason.

    How it works

    Filter by ecosystem, team, or time range from the dashboard, or stream the whole thing to your SIEM.

  4. Webhooks on every plan

    Post to any endpoint when an install is blocked, when a policy changes, or when a trust-score threshold is crossed. Five per user, included on Free. No enterprise gate.

  5. MCP server for AI coding agents

    Claude Code, Cursor, and Windsurf can query policy state, check a package before they suggest it, and propose policy edits that route through human approval. Same RBAC as a human API key.

  6. SIEM stream to leading SIEMs (Splunk, Sentinel, QRadar, and more via syslog/HEC)

    On Enterprise, the audit log ships as structured events to your existing SIEM.

    How it works

    Splunk HEC, Microsoft Sentinel (CEF over TLS syslog), and IBM QRadar (CEF over TLS syslog) are supported out of the box, and any SIEM that accepts syslog/HEC or a webhook can sink the same stream — Elastic, Sumo Logic, Chronicle, Datadog, and the rest.

  7. Governance & audit by default

    Every install — allowed, monitored, or blocked — leaves a signed audit row with rule, reason, user, repo, CI job, and timestamp.

    How it works

    Policy changes route through Billy's human-approval flow; exceptions carry a reviewer, a reason, and an expiry. Whichever framework your auditor works from — SOC 2, ISO 27001, HIPAA — they read the same export. No separate evidence-collection step.

  8. Billy approval workflow

    Policy proposals — whether drafted by a human or an AI agent via MCP — route through Billy, the in-product approval queue.

    How it works

    Reviewers see diff, blast radius, and which installs the change would have affected over the last week. Nothing flips to enforce without a human signing off.

Identity & deployment

Runs where you run

Managed SaaS, your own cloud, or fully air-gapped. Every deployment uses the same binary and the same API.

  1. Browser OAuth login with Turnstile

    CLI and dashboard both use the same browser-based login.

    How it works

    Device-code flow for headless shells, Turnstile on the auth page to keep bots out. Nothing to paste in from an email.

  2. Password plus TOTP on every plan

    Email, password, and TOTP out of the box.

    How it works

    Good enough for most teams; a starting point for the ones that graduate to SSO.

  3. SAML, OIDC, and SCIM on Pro

    Okta, Azure AD, Google Workspace, Auth0 — any SAML 2.0 or OIDC provider works without a custom integration. SCIM 2.0 auto-provisions and auto-deprovisions.

  4. Cross-platform CLI binaries

    Chainsaw ships static binaries for macOS, Linux, and Windows, each with a published SHA-256 checksum — verify your download before you run it.

    How it works

    Sigstore-signed releases follow once the release-signer bot is provisioned.

  5. Self-hosted or air-gapped deployment

    One container, one database, optional Redis for scale.

    How it works

    Runs in your cloud or fully disconnected. The server URL can be baked into the CLI at build time so air-gapped users never see a public origin.

FAQ

Questions, answered

Does Chainsaw support every package manager we use?

Sixteen ecosystems are in the proxy today: npm (covers pnpm, yarn, bun), pip / PyPI (covers poetry, uv), Maven, Gradle, Cargo, Go modules, Composer, NuGet, RubyGems, Swift, CocoaPods, Docker, Hugging Face, APT, Yum, and DNF. Each one runs transparently. No wrapper scripts, no lockfile changes.

How does policy enforcement work at proxy time?

Chainsaw intercepts the resolve request before it reaches the upstream registry, evaluates your active rules against the package, and either passes, warns, or blocks the response inside the normal install flow. No post-install CI scanner, no lockfile rewriting.

Which supply-chain attacks does Chainsaw catch that SCA tools miss?

Install-script exfiltration (PhantomRaven-shaped), maintainer-account takeover (Axios-shaped), version-number anomalies and backdated publishes, hidden Unicode (GlassWorm, Trojan Source), publish-velocity bursts (Shai-Hulud), reserved-namespace dependency confusion (Birsan), Docker malware feed matching, bundled Hugging Face malware feed, per-layer image enforcement, APT/Yum/DNF hash-chain provenance, Linux distro CVE detection (Alpine, Debian, Red Hat, Oracle Linux), typosquat across fifteen ecosystems, repo-liveness plus ownership match, and checksum fail-closed. See the policy page for how each one composes in a rule.

Does this work with monorepos, Yarn workspaces, and pnpm?

Yes. Chainsaw proxies the registry; your workspace layout is untouched. Turbo, Nx, Lerna, Yarn workspaces, and pnpm workspaces all work without modification.

How much latency does the proxy add per install?

On a cache hit, the proxy responds from local blob storage and usually beats the public registry. On a cold fetch, the added overhead is the policy evaluation itself — low single-digit milliseconds for most rules, with GeoIP lookups and vulnerability joins being the slowest.

What happens if Chainsaw itself goes down?

In monitor mode, Chainsaw fails open with an audit record so installs never break. In enforce mode, the default is fail-closed, but you can flip to fail-open with cache-only fallback per policy. The cache continues to serve previously-allowed installs during a full outage.

Can I start in monitor mode before switching to block?

Yes. Every rule supports monitor — it logs what would have been blocked without stopping the install. Most teams run monitor for one to two weeks, tune exceptions, then flip rule by rule. The transition is a single policy edit; no redeploy.

What does the MCP server expose to AI agents?

Read-only queries against policy state, packages, and the audit log by default. With the manage-propose preset, agents can draft policy edits that route through the same approval flow a human uses. No mutation escapes RBAC.

How is the SBOM generated?

Chainsaw assembles the bill of materials from the packages it has seen transit the proxy for each repository. Export via dashboard or API; the output is CycloneDX 1.6 JSON ready for procurement or audit.

Which SSO providers are supported?

Any SAML 2.0 or OIDC-compliant identity provider. Okta, Azure AD, Google Workspace, Auth0, Keycloak all work without custom code. SCIM 2.0 provisioning ships with it on Pro and Enterprise.

Ready to roll out?

Put Chainsaw on the install path

Start free in monitor mode. See what would be refused, then flip to enforce when you've seen the data.