// zero-trust npm gateway

Every npm package.
Scanned. Verified. Secured.

ZapaGuard intercepts your npm installs at the edge, strips auth tokens before they ever touch a log, and scans package tarballs with ClamAV, OSV, and Trivy before delivery.

# point your npm registry at ZapaGuard
npmnpm config set registry https://get.zapaguard.com/npm/
pnpmpnpm config set registry https://get.zapaguard.com/npm/

// how_it_works_

01

Intercept

Your npm-compatible client hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.

02

Verify

D1 is queried for a scan verdict. Clean package? The edge immediately sends the npm client to the trusted tarball path.

03

Scan

Unknown package versions are queued for local scanning. ClamAV, OSV, and Trivy checks run on private infrastructure to produce the verdict.

04

Deliver

Green npm packages are served. Red packages are blocked. Every decision is logged with a full audit trail in D1.

// features_

Zero-Knowledge Token Strip

Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.

Cloudflare Edge

Runs entirely on Cloudflare Workers, D1, R2, and Queues. No servers to manage, globally distributed by default.

Local Scanner Pipeline

Package tarballs are scanned on private infrastructure with ClamAV, OSV advisory matching, and Trivy analysis.

Scoped Package Support

Full support for scoped packages like @babel/core with correct %2f URL encoding preserved end-to-end.

Verdict-First Delivery

Verified packages are released quickly from the edge path. Pending scans return retryable responses until the verdict is ready.

Open Source

Don't trust my private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.

OSV Database Matching

OSV advisory matching checks npm package versions against vulnerability data before trusted delivery.

Trivy Scanner

Trivy adds deeper package analysis alongside ClamAV malware detection and OSV-backed vulnerability checks.

ClamAV Malware Engine

Every npm package tarball is run through ClamAV's signature engine to catch trojans, backdoors, and embedded malware before they reach your build.

Ready to secure your npm supply chain?

Open source, self-hostable, and built for teams that take npm package security seriously.