Every npm package.
Scanned. Verified. Secured.
ZapaGuard intercepts your npm installs at the edge, strips auth tokens before they ever touch a log, scans package tarballs with ClamAV today, and is adding OSV and Trivy checks next.
// how_it_works_
Intercept
Your npm-compatible client hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.
Verify
D1 is queried for a scan verdict. Clean package? The edge immediately sends the npm client to the trusted tarball path.
Scan
Unknown package versions are queued for local scanning. ClamAV runs now; OSV and Trivy workers are being added to expand the verdict.
Deliver
Green npm packages are served. Red packages are blocked. Every decision is logged with a full audit trail in D1.
// features_
Zero-Knowledge Token Strip
Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.
Cloudflare Edge
Runs entirely on Cloudflare Workers, D1, R2, and Queues. No servers to manage, globally distributed by default.
Local Scanner Pipeline
Package tarballs are scanned on private infrastructure, with ClamAV active and OSV plus Trivy workers in progress.
Scoped Package Support
Full support for scoped packages like @babel/core with correct %2f URL encoding preserved end-to-end.
Verdict-First Delivery
Verified packages are released quickly from the edge path. Pending scans return retryable responses until the verdict is ready.
Open Source
Don't trust my private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.
OSV Database Matching
OSV advisory matching is being wired as a decoupled worker backed by a local npm vulnerability index.
Trivy Worker In Progress
Trivy support is being added for deeper package analysis alongside ClamAV and OSV-backed checks.
ClamAV Malware Engine
Every npm package tarball is run through ClamAV's signature engine to catch trojans, backdoors, and embedded malware before they reach your build.
Ready to secure your npm supply chain?
Open source, self-hostable, and built for teams that take npm package security seriously.