milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Allow to configure the minimum package age

Browse source
This commit is contained in:
Sander Declerck 2025-11-26 16:42:51 +01:00
parent 5c3c3399d9
commit 13892efa70
No known key found for this signature in database
8 changed files with 449 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

51
README.md
View file

@ -75,7 +75,7 @@ The Aikido Safe Chain works by running a lightweight proxy server that intercept
### Minimum package age (npm only)
For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can bypass this protection for specific installs using the `--safe-chain-skip-minimum-package-age` flag.
For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours (by default) until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3).
@ -127,6 +127,55 @@ You can control the output from Aikido Safe Chain using the `--safe-chain-loggin
npm install express --safe-chain-logging=verbose
```
## Minimum Package Age
You can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 24 hours old before they can be installed through npm-based package managers.
### Configuration Options
You can set the minimum package age through multiple sources (in order of priority):
1. **CLI Argument** (highest priority):
```shell
npm install express --safe-chain-minimum-package-age-hours=48
```
2. **Environment Variable**:
```shell
export AIKIDO_MINIMUM_PACKAGE_AGE_HOURS=48
npm install express
```
3. **Config File** (`~/.aikido/config.json`):
```json
{
"minimumPackageAgeHours": 48
}
```
### Examples
- **Set to 48 hours for extra caution:**
```shell
npm install express --safe-chain-minimum-package-age-hours=48
```
- **Set to 1 hour for faster access to new packages:**
```shell
npm install express --safe-chain-minimum-package-age-hours=1
```
- **Completely bypass the age check for a specific install:**
```shell
npm install express --safe-chain-skip-minimum-package-age
```
# Usage in CI/CD
You can protect your CI/CD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.