Every npm package.
Scanned. Verified. Secured.
ZapaGuard intercepts your npm installs at the edge, strips auth tokens before they ever touch a log, scans every package with Trivy, and only delivers package tarballs it trusts.
// how_it_works_
Intercept
Your npm-compatible client hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.
Verify
D1 is queried for a valid scan verdict less than 7 days old. Cache hit? The npm tarball streams from R2 in milliseconds.
Scan
Cache miss triggers a Trivy scan of the npm package on my private infrastructure. Results are written back and the package is cleared or red-flagged.
Deliver
Green npm packages are served. Red packages are blocked. Every decision is logged with a full audit trail in D1.
// features_
Zero-Knowledge Token Strip
Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.
Cloudflare Edge
Runs entirely on Cloudflare Workers, D1, R2, and Queues. No servers to manage, globally distributed by default.
Trivy-Powered Scanning
Every npm package is scanned for CVEs, secrets, and malware using Trivy running on my own private infrastructure.
Scoped Package Support
Full support for scoped packages like @babel/core with correct %2f URL encoding preserved end-to-end.
7-Day Intelligent Cache
Verified packages are cached in R2 and served at edge speed. Expired verdicts trigger automatic re-scans.
Open Source
Don't trust my private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.
Google OSV Database
Cross-referenced against Google's Open Source Vulnerabilities database for npm advisories and package-level vulnerability matches.
GuardDog Slow Scanner
Deep behavioral analysis via GuardDog detects npm typosquatting, dependency confusion, and malicious code patterns that CVE databases miss.
ClamAV Malware Engine
Every npm package tarball is run through ClamAV's signature engine to catch trojans, backdoors, and embedded malware before they reach your build.
Ready to secure your npm supply chain?
Open source, self-hostable, and built for teams that take npm package security seriously.