Dependency Guardianby WestBayBerry

Dependency Guardian Docs

Dependency Guardian scans npm and PyPI dependencies for malicious behavior before they reach your build. It checks packages from the registry, not your source code — your source never leaves your machine, only package identifiers like names, versions, and artifact hashes. See Telemetry for exactly what's sent.

GitHub App Scans every pull request and posts a status check. The fastest path for teams on GitHub. CLI Local scans, install protection, and any CI system. Works without an account.

GitHub App

Scans run automatically on every pull request and a status check is published. Free account required (signup at westbayberry.com) — links the installation to your dashboard.

Install GitHub App
Recommended Set up merge protection

To block merges, require the Dependency Guardian check in a GitHub Ruleset.

  1. Go to repo Settings
  2. Open RulesRulesets
  3. Create a branch ruleset for your default branch
  4. Enable "Require status checks to pass"
  5. Select "Dependency Guardian"

See the merge protection guide for the full GitHub checklist.

CLI

Use the CLI for local scans or non-GitHub CI systems. Install is zero-footprint: it adds only the dg binary.

npm install -g @westbayberry/dg

First scan

dg scan audits the current project's dependencies on demand — read-only, installs nothing. It reads every npm and Python lockfile it finds (package-lock.json, yarn.lock, pnpm-lock.yaml, requirements*.txt, poetry.lock, and more), including nested projects in a monorepo.

dg scan

For per-install protection, prefix your usual commands — dg npm install lodash, dg pip install requests — or run dg setup --yes to install reversible user-local shims for bare commands.

dg login (optional)

Sign-in is OPTIONAL. Scanning works without it — the free tier (50,000 packages/mo) runs anonymously, keyed on a persistent device ID. dg login links this machine to your account for Dashboard access and the GitHub App integration. For CI, set DG_API_KEY or run dg login --token dg_live_... once.

CI

In any CI system, run dg scan as a step: it exits non-zero when a block-level package is found, failing the job. Authenticate with DG_API_KEY. See Integrations → CLI in CI for a ready-made GitHub Actions workflow. On GitHub, the GitHub App above is the simpler path — it posts a required PR status check automatically.

That's the setup path. Every command — dg verify, dg audit, dg licenses, dg doctor, and the rest — with every flag and exit code, lives in the CLI Reference.

What Dependency Guardian scans

Dependency Guardian looks for suspicious package behavior, including:

  • install scripts that execute code
  • credential and token access
  • network exfiltration
  • obfuscated payloads
  • typosquats and dependency confusion
  • sudden behavior changes between versions

FAQ

Is my source code uploaded?

For dependency scanning, no — Dependency Guardian only needs package names and versions, and analyzes published package artifacts from the registry. The one exception is the optional pre-publish deep audit (dg audit): if you opt in, it uploads a copy of your own package to the scanner for a behavioral check. Raw uploads are never retained — only the verdict and redacted findings are kept — and an org admin can disable uploads entirely.

What ecosystems are supported?

npm and PyPI.

Does it work outside GitHub?

Yes. Use the CLI in any CI system.

What happens if a package is flagged incorrectly?

Review the finding, pin to a known good version, or use the terminal override / git commit --no-verify while you investigate.