explaingit

pc-style/supply-chain-guard

23TypeScriptAudience · ops devopsComplexity · 3/5ActiveSetup · moderate

TLDR

A CLI that gates npm installs and VS Code extension installs through a local download-and-inspect step, with optional Socket and AI agent reviews before code runs.

Mindmap

mindmap
  root((supply-chain-guard))
    Inputs
      npm package name
      VSIX extension file
      Lockfiles
      Optional Socket token
    Outputs
      JSON and Markdown reports
      Approve or block decision
      Cached tarballs
    Use Cases
      Review packages before install
      Scan VS Code extensions
      Audit lockfile pins
      Lock down installs during an incident
    Tech Stack
      TypeScript
      Bun
      Socket.dev
      Codex

Things people build with this

USE CASE 1

Stage and review an npm package before it installs into your project

USE CASE 2

Scan a .vsix VS Code extension and read the generated risk report

USE CASE 3

Block broad lockfile updates until each new package has been inspected

USE CASE 4

Force every install to be approved with a phrase during an active supply chain incident

Tech stack

TypeScriptBunSocket.devCodexPI

Getting it running

Difficulty · moderate Time to first run · 30min

Needs Bun, git, tar, and unzip, plus a shell hook eval to intercept bun, npm, pnpm, yarn, and code install commands.

In plain English

Supply Chain Guard is a command line tool that adds a manual review step before you install a package from npm or a VS Code extension. The worry it addresses is that an attacker can sneak malicious code into a package, and the moment you install it, that code runs on your machine. The guard downloads the package first, looks at the files that tend to matter during an install, writes reports about what it found, and only then lets the install go through. The author is clear that this is not a sandbox and that an approval is not a guarantee that a package is safe. It is described as a local tripwire for suspicious install behavior. You install it with a one-line curl command that runs an install script, then activate a shell hook so that commands like bun add, npm install, pnpm add, yarn add, and code --install-extension all flow through the guard first. The hook can be bypassed for a single command with an environment variable. There is also a doctor command that checks all the dependencies are in place, a config command to set defaults, and a clean command to delete cached files and reports. The tool can optionally consult two AI command line agents, Codex and PI, to give a second opinion on the package. The agent must end its review with a specific approval line, otherwise the install is blocked. It can also call Socket.dev, an external service that scores npm packages, if you provide an API token. The checks include install lifecycle scripts, suspicious text patterns like piped curl-to-shell, encoded payloads, credential paths, executable entries, large files, and VS Code extension activation hooks. There is also an active incident mode where you set an advisory string, and during that period every install requires you to type an exact acceptance phrase. The repository has 20 stars and is written in TypeScript.

Copy-paste prompts

Prompt 1
Install scguard via the curl script and add the shell hook so bun add and npm install route through the guard
Prompt 2
Run scguard review on lodash with both Codex and PI agent reviews required before approval
Prompt 3
Scan a local .vsix file with scguard scan-vsix and walk me through the JSON report
Prompt 4
Set SCGUARD_ACTIVE_INCIDENT for the next 24 hours and explain how the acceptance phrase flow works
Prompt 5
Configure SOCKET_API_KEY and show me how Socket scores change the block or warn decision
Open on GitHub → Explain another repo

Generated 2026-05-22 · Model: sonnet-4-6 · Verify against the repo before relying on details.