// multi-ecosystem zero-trust proxy

Every package.
Scanned. Verified. Secured.

ZapaGuard intercepts your NPM, Debian 13, PyPI (pip), and Terraform installs at the edge — strips auth tokens before they ever touch a log, scans tarballs and packages with ClamAV, OSV, and Trivy in parallel, and serves only clean artifacts.

# point your npm-compatible client at ZapaGuard
npmnpm config set registry https://get.zapaguard.com/npm/
pnpmpnpm config set registry https://get.zapaguard.com/npm/
# register the ZapaGuard Debian 13 mirror
bashecho "deb [signed-by=/etc/apt/keyrings/zapaguard.gpg] https://get.zapaguard.com/debian bookworm main" | sudo tee /etc/apt/sources.list.d/zapaguard.list
# point pip at the ZapaGuard PyPI mirror
pippip config set global.index-url https://get.zapaguard.com/pypi/
# providers — add to ~/.terraformrc
provider_installation {
  network_mirror {
    url = "https://get.zapaguard.com/terraform/providers/"
  }
  direct {}
}
# modules — add to ~/.terraformrc
module_installation {
  network_mirror {
    url = "https://get.zapaguard.com/terraform/modules/"
  }
  direct {}
}

// how_it_works_

01

Intercept

Your client (npm, apt, pip, or terraform) hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.

02

Verify

D1 is queried for a scan verdict. Clean package? The edge immediately serves the trusted artifact from the CDN cache or S3-backed origin.

03

Scan

Unknown package versions are queued for parallel scanning. ClamAV, OSV, and Trivy run together to produce a consolidated verdict.

04

Deliver

Clean packages are served. Malicious packages are blocked. Every decision is logged with a full audit trail in D1 — cross-ecosystem.

// features_

Zero-Knowledge Token Strip

Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.

Cloudflare Edge

Runs entirely on Cloudflare Workers, D1, KV, and Queues. Globally distributed by default — no servers to manage.

Parallel Scanners (Production)

ClamAV, OSV, and Trivy all run in parallel on private infrastructure. Every package is checked against malware signatures, OSV advisories, and deep dependency analysis before delivery.

Multi-Ecosystem Support

Secure your entire supply chain — NPM, Debian 13, PyPI (pip), and Terraform Modules & Providers — from a single proxy.

Verdict-First Delivery

Verified packages are released quickly from the CDN edge. Pending scans return retryable responses until the verdict is ready.

Garage S3 Private Storage

Package metadata lives in low-latency Cloudflare D1. Full package binaries and raw scan reports are stored in resilient, self-hosted Garage S3 buckets — you control the data.

Automated 7-Day Rescans

All stored packages are rescanned every 7 days. If a new vulnerability is found, the Cloudflare CDN edge cache is instantly purged — compromised cached copies never reach your builds.

24-Hour Quarantine Buffer

Optionally delay newly published packages for a configurable quarantine window. Mitigates 0-day supply chain insertions at the cost of a short availability delay.

Open Source

Don't trust our private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.

Ready to secure your entire software supply chain?

Open source, self-hostable, and built for teams that take cross-ecosystem package security seriously. NPM, Debian 13, PyPI, and Terraform — one proxy to protect them all.