milliways-infosec/AikidoSec-safe-chain
7
0
Fork 0
mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge pull request #176 from AikidoSec/min-package-age-configuration

Browse source
This commit is contained in:
Sander Declerck 2025-11-26 17:24:25 +01:00 committed by GitHub
commit a57c37b58d
No known key found for this signature in database
GPG key ID: B5690EEEBB952194
8 changed files with 429 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

31
README.md
View file

@ -76,7 +76,7 @@ The Aikido Safe Chain works by running a lightweight proxy server that intercept
### Minimum package age (npm only)
For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can bypass this protection for specific installs using the `--safe-chain-skip-minimum-package-age` flag.
For npm packages, Safe Chain temporarily suppresses packages published within the last 24 hours (by default) until they have been validated against malware. This provides an additional security layer during the critical period when newly published packages are most vulnerable to containing undetected threats. You can configure this threshold or bypass this protection entirely - see the [Minimum Package Age Configuration](#minimum-package-age) section below.
⚠️ This feature **only applies to npm-based package managers** (npm, npx, yarn, pnpm, pnpx, bun, bunx) and does not apply to Python package managers (uv, pip, pip3).
@ -128,6 +128,35 @@ You can control the output from Aikido Safe Chain using the `--safe-chain-loggin
npm install express --safe-chain-logging=verbose
```
## Minimum Package Age
You can configure how long packages must exist before Safe Chain allows their installation. By default, packages must be at least 24 hours old before they can be installed through npm-based package managers.
### Configuration Options
You can set the minimum package age through multiple sources (in order of priority):
1. **CLI Argument** (highest priority):
```shell
npm install express --safe-chain-minimum-package-age-hours=48
```
2. **Environment Variable**:
```shell
export SAFE_CHAIN_MINIMUM_PACKAGE_AGE_HOURS=48
npm install express
```
3. **Config File** (`~/.aikido/config.json`):
```json
{
"minimumPackageAgeHours": 48
}
```
# Usage in CI/CD
You can protect your CI/CD pipelines from malicious packages by integrating Aikido Safe Chain into your build process. This ensures that any packages installed during your automated builds are checked for malware before installation.