Every package.
Scanned. Verified. Secured.
ZapaGuard intercepts your NPM, Debian 13, PyPI (pip), and Terraform installs at the edge — strips auth tokens before they ever touch a log, scans tarballs and packages with ClamAV, OSV, and Trivy in parallel, and serves only clean artifacts.
// how_it_works_
Intercept
Your client (npm, apt, pip, or terraform) hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.
Verify
D1 is queried for a scan verdict. Clean package? The edge immediately serves the trusted artifact from the CDN cache or S3-backed origin.
Scan
Unknown package versions are queued for parallel scanning. ClamAV, OSV, and Trivy run together to produce a consolidated verdict.
Deliver
Clean packages are served. Malicious packages are blocked. Every decision is logged with a full audit trail in D1 — cross-ecosystem.
// features_
Zero-Knowledge Token Strip
Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.
Cloudflare Edge
Runs entirely on Cloudflare Workers, D1, KV, and Queues. Globally distributed by default — no servers to manage.
Parallel Scanners (Production)
ClamAV, OSV, and Trivy all run in parallel on private infrastructure. Every package is checked against malware signatures, OSV advisories, and deep dependency analysis before delivery.
Multi-Ecosystem Support
Secure your entire supply chain — NPM, Debian 13, PyPI (pip), and Terraform Modules & Providers — from a single proxy.
Verdict-First Delivery
Verified packages are released quickly from the CDN edge. Pending scans return retryable responses until the verdict is ready.
Garage S3 Private Storage
Package metadata lives in low-latency Cloudflare D1. Full package binaries and raw scan reports are stored in resilient, self-hosted Garage S3 buckets — you control the data.
Automated 7-Day Rescans
All stored packages are rescanned every 7 days. If a new vulnerability is found, the Cloudflare CDN edge cache is instantly purged — compromised cached copies never reach your builds.
24-Hour Quarantine Buffer
Optionally delay newly published packages for a configurable quarantine window. Mitigates 0-day supply chain insertions at the cost of a short availability delay.
Open Source
Don't trust our private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.
Ready to secure your entire software supply chain?
Open source, self-hostable, and built for teams that take cross-ecosystem package security seriously. NPM, Debian 13, PyPI, and Terraform — one proxy to protect them all.