Book a demo Get started

For Enterprise IT

One rollout across every engineering org — hosted, your cloud, or air-gapped

Deploy once — managed SaaS, your own VPC, or fully air-gapped — and every team inherits the org baseline. Local teams can tighten rules; they can't loosen below the floor. Governance without the central-vs-team fight.

The pain

  • Dependency policy lives with individual teams — no central rollout path.
  • Tooling requires either a cloud footprint or a heavy on-prem install with no path between them.
  • Every new control adds latency to developer workflows.
  • Regulated environments need an air-gapped story that isn't "rebuild from scratch every release".

What changes

Central rollout, local enforcement

Deploy once; teams inherit the baseline with room for local additions. Governance without flattening.

Managed, cloud, or air-gapped

Managed SaaS, your own Kubernetes or Docker, or fully air-gapped. Same binary, same API, same policy format.

Cache-backed performance

Repeat installs answer from cache. Rollout doesn't become a new helpdesk ticket queue.

Availability

HA topology that doesn't need a platform team

Chainsaw's proxy tier is stateless. Scale it horizontally behind any load balancer. The management plane runs on a managed relational database with an optional Redis or NATS queue for webhook delivery at scale. Stand up two replicas, put a health check in front, and fail-over is automatic.

  • Stateless proxy: any Kubernetes, ECS, or Nomad scheduler works. No sticky sessions.
  • Managed-database control plane: bring your own RDS, Cloud SQL, or self-managed instance.
  • Blob-store cache: local disk for dev, S3-compatible for prod. Purge and re-populate without downtime.
  • Fail-open or fail-closed: configurable per policy. Cache continues to serve previously-allowed installs during a full outage.
  • Prometheus metrics: 50+ counters out of the box. OpenTelemetry tracing is opt-in.

Identity

SSO, SCIM, and RBAC without custom code

SAML 2.0, OIDC, and SCIM 2.0 ship on Unlimited. Any compliant IdP works; these are the ones we see most often. RBAC has admin, manager, and viewer roles with fine-grained API scopes, and SCIM drives provisioning and deprovisioning automatically.

Okta SAML 2.0 · OIDC · SCIM 2.0
Microsoft Entra (Azure AD) SAML 2.0 · OIDC · SCIM 2.0
Google Workspace OIDC · SCIM 2.0
Auth0 OIDC
Keycloak OIDC
Generic SAML 2.0 / OIDC Any compliant IdP

Air-gapped

Disconnected from the public internet, end to end

Chainsaw runs fully air-gapped on Unlimited. The server URL can be baked into the CLI at build time, so your engineers never see a public origin. Sync the malware index, the typosquat seed lists, and the CVE database into your environment on whatever cadence you want; Chainsaw reads them from the local filesystem.

CHAINSAW_WEB_UI_URL, FORCE_HTTPS, and NEXT_APP_BASEPATH let the dashboard live on a subpath of your internal domain. Signed cross-platform binaries ship for macOS, Linux, and Windows with CHAINSAW_REQUIRE_SIGNATURE=1 on by default.

Migration

Front your existing registry — don't rip it out

Most teams already run something: Artifactory for internal artifacts, Cloudsmith for a subset of public packages, a Verdaccio mirror, or an SCA tool doing post-install reporting. Chainsaw slots in front of whichever you have.

  • Artifactory / Nexus Keep them. Chainsaw sits in front of the public registries they proxy. Internal artifacts keep resolving out of Artifactory; public installs route through Chainsaw's policy. Zero dual-publish.
  • Cloudsmith / JFrog SaaS Point Chainsaw's upstream at the Cloudsmith registry. Your team keeps using Cloudsmith URLs; Chainsaw enforces policy on every fetch.
  • Verdaccio / internal npm mirror Chainsaw replaces the public-upstream hop and keeps the mirror in place. No change to the developer's .npmrc.
  • Snyk / Socket SCA Run both. Chainsaw decides what can enter; your SCA tool reports on what's already there. They target different stages.

Hardening levels

Four levels of enforcement, one rollout path

Most teams start at Level 1 (monitor) and stop at Level 2. Regulated environments push to Level 3 or 4. Each level is additive — same proxy, same policy, more tooling around it. The /onboarding/hardening wizard generates the manifests, firewall snippets, and MDM payloads ready to apply.

  1. L1

    Monitor only

    Audit every install. Block nothing.

    The proxy logs every package decision with a structured row. Rules ship in monitor mode by default; the daily report tells you which installs would have failed. Zero developer disruption — every CI job, every laptop install passes through the audit log.

    Tooling: proxy + dashboard.

  2. L2

    + Admission webhook

    Cluster-side enforcement on Kubernetes.

    Add a Kubernetes ValidatingAdmissionWebhook so workloads pulling images outside policy are rejected at apply-time. Closes the 'CI sneak-around via direct kubectl apply' gap that monitor mode can't see. Helm chart and Kustomize overlay shipped with the runbook.

    Tooling: + K8s admission controller.

  3. L3

    + Network egress allowlist

    Block direct registry access at the network edge.

    Push a firewall / egress-policy snippet that allowlists Chainsaw's proxy and denies direct egress to npmjs.org, pypi.org, registry-1.docker.io, etc. Now the proxy is the only path — no developer can fall back to the public registry by editing one line of .npmrc.

    Tooling: + network egress policy.

  4. L4

    + MDM payloads on managed laptops

    Lock the developer machine.

    Distribute MDM (Jamf, Intune, Workspace ONE) payloads that pin the package-manager registry config, prevent override, and bake the proxy URL into the laptop image. Air-gapped variant available for regulated environments. The CLI ships with a baked server URL so engineers never see a public origin.

    Tooling: + MDM profile + signed CLI build.

Rollout for shared services

Hub-and-spoke governance in three steps

  1. Stand up one Chainsaw instance

    Managed SaaS, self-hosted on your cloud (Docker or Kubernetes), or fully air-gapped. Same binary, same config surface, same API.

  2. Publish baseline policy centrally

    Define the org floor for vulnerabilities, licenses, provenance, and supply-chain signals. Teams inherit automatically.

  3. Let teams layer local rules

    Per-team additions can tighten policy but not loosen it below the central baseline. Self-serve within guardrails.

Need on-prem or air-gapped?

Let's scope the deployment together

On-prem comes with the Unlimited plan. For bespoke deployments, network constraints, or negotiated contracts, book a 30-minute call.

Scope on-prem rollout Start a free org