mirror of https://github.com/AikidoSec/safe-chain.git synced 2026-05-26 12:10:49 +00:00

Protect against malicious code installed via npm, yarn, pnpm, npx, pnpx, pip, uv and poetry with Aikido Safe Chain. Free to use, no tokens required. https://www.aikido.dev

Find a file

Sander Declerck a6fccb2e70 Modify build artifacts: 2 separate tarballs		2025-09-08 10:28:56 +02:00
.github	Modify build artifacts: 2 separate tarballs	2025-09-08 10:28:56 +02:00
docs	Update documentation to reflext pnpm/pnpx has been added	2025-07-17 10:26:45 +02:00
packages	Cleanup setup.js and teardown.js	2025-09-08 10:19:16 +02:00
test/e2e	Add e2e tests to workspace	2025-09-05 11:33:08 +02:00
.editorconfig	Add editorconfig + github workflows	2025-07-11 17:20:39 +02:00
.gitignore	Move safe-chain package to packages/safe-chain	2025-09-05 11:19:37 +02:00
.npmignore	Undo move of files to safe-chain	2025-08-05 13:35:40 +02:00
eslint.config.js	Move safe-chain package to packages/safe-chain	2025-09-05 11:19:37 +02:00
LICENSE	Initial commit	2025-07-11 17:14:52 +02:00
package-lock.json	Implement basic bun security scanner for safe chain	2025-09-05 14:19:02 +02:00
package.json	Implement basic bun security scanner for safe chain	2025-09-05 14:19:02 +02:00
README.md	Use safe-chain-test in the docs instead of eslint-js	2025-07-22 09:49:03 +02:00

README.md

Aikido Safe Chain

The Aikido Safe Chain prevents developers from installing malware on their workstations through npm, npx, yarn, pnpm and pnpx.

The Aikido Safe Chain wraps around the npm cli, npx, yarn, pnpm, and pnpx to provide extra checks before installing new packages. This tool will detect when a package contains malware and prompt you to exit, preventing npm, npx, yarn, pnpm or pnpx from downloading or running the malware.

Aikido Safe Chain works on Node.js version 18 and above and supports the following package managers:

✅ npm
✅ npx
✅ yarn
✅ pnpm
✅ pnpx
🚧 bun Coming soon

Usage

Installation

Installing the Aikido Safe Chain is easy. You just need 3 simple steps:

Install the Aikido Safe Chain package globally using npm:
```
npm install -g @aikidosec/safe-chain
```
Setup the shell integration by running:
```
safe-chain setup
```
❗Restart your terminal to start using the Aikido Safe Chain.
- This step is crucial as it ensures that the shell aliases for npm, npx, yarn, pnpm and pnpx are loaded correctly. If you do not restart your terminal, the aliases will not be available.
Verify the installation by running:
```
npm install safe-chain-test
```
- The output should show that Aikido Safe Chain is blocking the installation of this package as it is flagged as malware.

When running npm, npx, yarn, pnpm or pnpx commands, the Aikido Safe Chain will automatically check for malware in the packages you are trying to install. If any malware is detected, it will prompt you to exit the command.

How it works

The Aikido Safe Chain works by intercepting the npm, npx, yarn, pnpm and pnpx commands and verifying the packages against Aikido Intel - Open Sources Threat Intelligence.

The Aikido Safe Chain integrates with your shell to provide a seamless experience when using npm, npx, yarn, pnpm and pnpx commands. It sets up aliases for these commands so that they are wrapped by the Aikido Safe Chain commands, which perform malware checks before executing the original commands. We currently support:

✅ Bash
✅ Zsh
✅ Fish
✅ PowerShell
✅ PowerShell Core

More information about the shell integration can be found in the shell integration documentation.

Uninstallation

To uninstall the Aikido Safe Chain, you can run the following command:

Remove all aliases from your shell by running:
```
safe-chain teardown
```
Uninstall the Aikido Safe Chain package using npm:
```
npm uninstall -g @aikidosec/safe-chain
```
❗Restart your terminal to remove the aliases.

Usage in CI/CD

🚧 Support for CI/CD environments is coming soon...