Quickstart

Your first block, the first time you run install

Install the free, open-source CLI and turn on the guard. Your existing package managers (npm, pip, cargo, gem, go) get checked at install time on your own machine, with no server and no registry repoint, blocking known-malicious packages and typosquats before they download. The first time you use it, it asks once whether to share anonymous usage and blocked-package data to improve detection (the prompt defaults to yes; decline anytime, and it never sends from CI); your clean installs never leave your machine. Change anytime with chainsaw telemetry on|off (see our privacy policy). Sign in to sync across your team and unlock the full malicious-packages feed.

Step 1 of 3

Install the CLI

Free and open source. One command, no account, and no sudo. It drops a single binary in ~/.local/bin and adds that to your PATH, so nothing touches a system directory. Sign in later to sync across your team and pull the full malicious-packages feed.

curl -fsSL https://chain305.com/install.sh | sh

On Windows, run this in PowerShell instead: irm https://chain305.com/install.ps1 | iex. It installs per-user under %LOCALAPPDATA% and updates your user PATH, so it needs no admin rights.

Step 2 of 3

Turn on the guard

The shim auto-checks your existing package managers with no registry repoint and no config to maintain. One command writes it into your shell rc (idempotent — safe to run twice):

chainsaw guard init --install      # writes the hook to your shell rc, once

# or turn it on for the current shell only:
eval "$(chainsaw guard init zsh)"   # bash/zsh
chainsaw guard init fish | source   # fish

From now on, npm, pip (and pip3), go, cargo, and gem installs are checked automatically. Prefer not to touch your shell? Run one-shot: chainsaw npm install <package>.

Step 3 of 3

Watch it block

Try installing a typosquat of a package you know, like a misspelling of a popular name. The guard refuses it before it downloads, using embedded seeds, so it works with no network. Known-malicious packages (a curated floor) and typosquats of popular packages are both caught at install time.

npm

npm install crossenv

crossenv is a typosquat of cross-env — blocked before it downloads.

pip / cargo / gem

pip install python3-dateutil
cargo add rustdecimal
gem install rest-clientt

Typosquats of python-dateutil, rust_decimal, and rest-client — same check across Python, Rust, and Ruby.

go

go get github.com/sirupsen/logruss

A typosquat of logrus — Go modules are checked at fetch time too.

Want the full known-malicious set? Pull it once with chainsaw guard update. Everything still runs locally, and nothing about your installs leaves the machine.

Scale this to a team

Same block, enforced for everyone

The local guard is per-developer. To enforce the same checks across a team, with shared policies, an audit trail, and blocks that hold even on machines without the CLI, run Chainsaw as a proxy in front of your registries. This path needs an account and a running endpoint; the local guard above needs neither.

Team · Step 1 of 4

Sign up

Free tier, no credit card. The signup form takes about 30 seconds: email, org name, password. Email verification optional in dev.

Start free →

Team · Step 2 of 4

Copy your client credentials

In your dashboard, go to Access → Client credentials and create a credential pair. You'll get a CLIENT_ID and a CLIENT_SECRET. Keep them handy for the next step. The secret is shown once, so copy it now.

Open Access → Client credentials →

Team · Step 3 of 4

Point your package manager at Chainsaw

One config block per ecosystem. No agent, no certificate, no MITM proxy on your network. Pick the package manager you actually use and paste your CLIENT_ID and CLIENT_SECRET from the previous step:

npm

Register Chainsaw as your registry:

npm config set registry https://CLIENT_ID:CLIENT_SECRET@chain305.com/chainproxy/repository/@default/npmjs/

Replace CLIENT_ID and CLIENT_SECRET with the values you copied in step 2.

pip / PyPI

Register Chainsaw as your registry:

pip config set global.index-url https://CLIENT_ID:CLIENT_SECRET@chain305.com/chainproxy/repository/@default/pypi/simple
pip config set global.trusted-host chain305.com

Two lines. pip needs trusted-host once credentials are embedded in the URL.

Docker

Register Chainsaw as your registry:

docker login chain305.com

Username: your CLIENT_ID. Password: your CLIENT_SECRET.

Team · Step 4 of 4

Run the demo install

Pick your ecosystem and run the install. The demo packages here are drawn from the OpenSSF malicious-packages feed, long-tail entries flagged for typosquatting or known malware. Chainsaw refuses each one against the seeded demo policies.

npm

npm install lodahs

lodahs is a known typosquat of lodash, flagged in the OpenSSF malicious-packages feed. Chainsaw refuses the install before the package is downloaded.

pip / PyPI

pip install reqeusts

reqeusts is a known typosquat of requests. Chainsaw blocks the install at metadata-fetch time.

Docker

docker pull chain305.com/repository/@default/docker/library/known-malicious-image:latest

Chainsaw checks every image pull against the OpenSSF malware feed and blocks known-bad layers before they hit your registry cache.

What you'll see in the terminal

Chainsaw firewall: BLOCKED by policy "Demo: Block suspected typosquats"
Reason: package name resembles "lodash" with edit distance 1
Detected: typosquat · in OpenSSF malicious-packages index
Install blocked. Edit or delete this rule from your dashboard.