//

Every npm package.
Scanned. Verified. Secured.

ZapaGuard intercepts your npm installs at the edge, strips auth tokens before they ever touch a log, scans every package with Trivy, and only delivers package tarballs it trusts.

# point your npm registry at ZapaGuard
npmnpm config set registry https://npm.zapaguard.com
pnpmpnpm config set registry https://npm.zapaguard.com
~0msAdded latency for cached npm tarballs
19.7kscans / day
100%NO hardcoded credentials
CloudflareRuns entirely on Cloudflare edge

// how_it_works_

01

Intercept

Your npm-compatible client hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.

02

Verify

D1 is queried for a valid scan verdict less than 7 days old. Cache hit? The npm tarball streams from R2 in milliseconds.

03

Scan

Cache miss triggers a Trivy scan of the npm package on my private infrastructure. Results are written back and the package is cleared or red-flagged.

04

Deliver

Green npm packages are served. Red packages are blocked. Every decision is logged with a full audit trail in D1.

// features_

Zero-Knowledge Token Strip

Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.

Cloudflare Edge

Runs entirely on Cloudflare Workers, D1, R2, and Queues. No servers to manage, globally distributed by default.

Trivy-Powered Scanning

Every npm package is scanned for CVEs, secrets, and malware using Trivy running on my own private infrastructure.

Scoped Package Support

Full support for scoped packages like @babel/core with correct %2f URL encoding preserved end-to-end.

7-Day Intelligent Cache

Verified packages are cached in R2 and served at edge speed. Expired verdicts trigger automatic re-scans.

Open Source

Don't trust my private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.

Google OSV Database

Cross-referenced against Google's Open Source Vulnerabilities database for npm advisories and package-level vulnerability matches.

GuardDog Slow Scanner

Deep behavioral analysis via GuardDog detects npm typosquatting, dependency confusion, and malicious code patterns that CVE databases miss.

ClamAV Malware Engine

Every npm package tarball is run through ClamAV's signature engine to catch trojans, backdoors, and embedded malware before they reach your build.

Ready to secure your npm supply chain?

Open source, self-hostable, and built for teams that take npm package security seriously.