Every npm package.
Scanned. Verified. Secured.
ZapaGuard intercepts your npm installs at the edge, strips auth tokens before they ever touch a log, and scans package tarballs with ClamAV, OSV, and Trivy before delivery.
// how_it_works_
Intercept
Your npm-compatible client hits the ZapaGuard edge worker. Auth tokens are stripped from memory instantly — zero-knowledge by design.
Verify
D1 is queried for a scan verdict. Clean package? The edge immediately sends the npm client to the trusted tarball path.
Scan
Unknown package versions are queued for local scanning. ClamAV, OSV, and Trivy checks run on private infrastructure to produce the verdict.
Deliver
Green npm packages are served. Red packages are blocked. Every decision is logged with a full audit trail in D1.
// features_
Zero-Knowledge Token Strip
Auth headers are deleted from memory before any routing or logging occurs. Your credentials never leave your machine.
Cloudflare Edge
Runs entirely on Cloudflare Workers, D1, R2, and Queues. No servers to manage, globally distributed by default.
Local Scanner Pipeline
Package tarballs are scanned on private infrastructure with ClamAV, OSV advisory matching, and Trivy analysis.
Scoped Package Support
Full support for scoped packages like @babel/core with correct %2f URL encoding preserved end-to-end.
Verdict-First Delivery
Verified packages are released quickly from the edge path. Pending scans return retryable responses until the verdict is ready.
Open Source
Don't trust my private infra? No worries — clone the repo, run it on your own, and you're good to go. Full source, no black boxes, no strings attached.
OSV Database Matching
OSV advisory matching checks npm package versions against vulnerability data before trusted delivery.
Trivy Scanner
Trivy adds deeper package analysis alongside ClamAV malware detection and OSV-backed vulnerability checks.
ClamAV Malware Engine
Every npm package tarball is run through ClamAV's signature engine to catch trojans, backdoors, and embedded malware before they reach your build.
Ready to secure your npm supply chain?
Open source, self-hostable, and built for teams that take npm package security seriously.