Lightweight Security for Your Software Supply Chain
Developer-friendly tools that secure dependencies and code without slowing you down
Simple, Powerful Security Tools
Lightweight solutions that integrate seamlessly into your development workflow
Dependency Security
- Real-time package vulnerability scanning
- Supply chain attack prevention
Code Security
- Lightweight static analysis
- Real-time vulnerability feedback
- Pluggable security rules
Seamless Integration
- Zero-friction setup and configuration
- CI/CD pipeline integration
- Developer workflow compatibility
- Minimal performance overhead
Developer Experience
- Intuitive command-line tools
- Comprehensive documentation
- Active community support
How a Package Firewall Works
A transparent proxy between your package manager and public registries that inspects every install in real time
Every pip install, npm install, and go get command passes through the Hextrap firewall before reaching the public registry. The firewall inspects the package name, version, author metadata, and package contents against your security policies. Blocked packages never reach your machine. Allowed packages are proxied transparently with no additional latency for cached results.
Setup Your Package Manager
Change a single configuration line. No SDK, no wrapper, no code changes. Works with all popular Python, Node, and Go package managers. Your existing lockfiles, constraints, and version specifiers all work exactly as before — the only difference is where the packages come from.
pip config set global.index-url \
https://$HEXTRAP_USER:$HEXTRAP_PASS@pypi.hextrap.com/simple/# .npmrc
registry=https://npm.hextrap.com/
//npm.hextrap.com/:_auth=BASE64_TOKENexport GOPROXY=https://$HEXTRAP_USER:$HEXTRAP_PASS@go.hextrap.comYour Team's Custom Firewall
Every team creates their own firewall with its own rules. Each firewall has independent allow lists, deny lists, soak time windows, and threat detection settings — so your frontend team, backend team, and CI/CD pipeline can each enforce the policies that make sense for them.
When a package is requested, it's evaluated against that specific firewall's configuration and checked against real-time threat intelligence built from seven independent analyzers that continuously monitor PyPI, npm, and the Go module index.
See all 7 threat signals →Blocked or Allowed in Milliseconds
The firewall evaluates your security policies in strict order: allow list match, deny list match, threat detection signals, soak time window, and unmaintained package status. A package must pass every layer to reach your machine.
Decisions are cached so repeat installs across your team have zero overhead. When a package is blocked, the developer sees a clear error message explaining exactly why — no ambiguous failures, no silent drops.
Learn about security policies →Exceptions When You Need Them
When a legitimate package gets flagged by automated detection, create an exception to override the block for your firewall. The package is immediately unblocked — no support tickets, no waiting. Exceptions are scoped to individual firewalls, so one team's override doesn't change another team's security posture.
Every exception is logged in the activity feed with who created it and when, giving security teams full audit visibility while developers keep moving.
Multi-Signal Threat Detection
Seven automated analyzers inspect every new package published to PyPI, npm, and the Go module index
Typosquat Detection
Fuzzy string matching against 500K+ PyPI, 2M+ npm, and 1M+ Go packages. Names exceeding 90% similarity are flagged automatically.
requ3sts → 95% match to requests
Dependency Confusion
Detects internal-looking package names on public registries with -internal, -private suffixes and suspiciously high version numbers.
company-utils-internal v999.0.0
Version Anomaly
Flags new packages with unusually high first versions. A package appearing at v100.0.0 with no history signals version manipulation.
v100.0.0 — no prior versions
Code Obfuscation
Scans source files for base64 payloads, eval() with decode chains, hex strings, and chr() concatenation designed to hide malicious code.
exec(base64.b64decode("aW1wb3J0..."))
Install Hook Analysis
Inspects npm preinstall/postinstall scripts and Python setup.py for dangerous operations like shell commands and network access.
"preinstall": "node -e require('child_process')..."
Star-Jacking
Identifies packages claiming popular GitHub repos they don't own. Flags repos with 5,000+ stars where the package name doesn't match.
fast-utils links to facebook/react
Coordinated Burst
Flags when 5+ packages appear from the same author within 30 minutes. Mass publishing is a hallmark of automated supply chain attacks.
Secure Your First Install in 60 Seconds
Drop-in configuration for pip, npm, yarn, bun, and Go — no code changes required
# Option 1: pip config (persistent)
pip config set global.index-url \
https://$HEXTRAP_USER:$HEXTRAP_PASS@pypi.hextrap.com/simple/
# Option 2: Environment variable
export PIP_INDEX_URL=https://$HEXTRAP_USER:$HEXTRAP_PASS@pypi.hextrap.com/simple/
# Option 3: uv (fast Python installer)
export UV_INDEX_URL=https://$HEXTRAP_USER:$HEXTRAP_PASS@pypi.hextrap.com/simple/Works with pip, Poetry, Pipenv, and uv. All tools respect PIP_INDEX_URL.
# .npmrc (project root or ~/.npmrc)
registry=https://npm.hextrap.com/
//npm.hextrap.com/:_auth=BASE64_TOKENApplies to npm install, npx, and npm ci. Scoped registries also supported.
# Yarn 2+ (Berry) - .yarnrc.yml
npmRegistryServer: "https://npm.hextrap.com/"
npmAuthToken: "BASE64_TOKEN"
# Yarn 1 (Classic) - .npmrc
registry=https://npm.hextrap.com/
//npm.hextrap.com/:_auth=BASE64_TOKENYarn Berry uses .yarnrc.yml. Classic Yarn reads .npmrc like npm.
# bunfig.toml
[install]
registry = "https://USERNAME:PASSWORD@npm.hextrap.com/"Bun reads bunfig.toml from the project root or ~/.bunfig.toml globally.
# Environment variable
export GOPROXY=https://$HEXTRAP_USER:$HEXTRAP_PASS@go.hextrap.com
# Or add to your shell profile
echo 'export GOPROXY=https://TOKEN@go.hextrap.com' >> ~/.bashrcGo modules use GOPROXY. Works with go get, go build, and go mod tidy.
CI/CD Integration
Use environment variables or repository secrets to protect your pipeline:
# GitHub Actions
env:
PIP_INDEX_URL: https://$:$@pypi.hextrap.com/simple/
NPM_CONFIG_REGISTRY: https://npm.hextrap.com/
GOPROXY: https://$@go.hextrap.comManage Your Firewall with AI
Connect Claude, ChatGPT, or any MCP-compatible assistant to check packages, manage allow lists, and bootstrap firewalls from your existing dependency files
Bootstrap From Your Dependency Files
Hand your AI assistant a requirements.txt, package-lock.json, or go.sum and ask it to build an allow list. It reads the file, extracts every dependency, checks each one against your firewall, and adds the approved packages — turning hours of manual curation into a single prompt.
Check Before You Install
When your AI assistant suggests a package, it checks Hextrap first. Is it on your allow list? Is it a known typosquat? Does it have suspicious signals? You get a clear answer before the package ever touches your codebase.
Full Firewall Management
Add and remove packages from allow lists and deny lists, view installation activity, rotate credentials, and create service tokens — all through natural language. Ten MCP tools give your assistant complete control over your firewall configuration.
Check if requests is safe to install on my firewall, then add it to the allow list.
I'll check requests against your firewall and add it if it's safe.
requests — Allowed, no threats detected
requests added to allow list
requests is safe — no typosquat signals, no advisories. I've added it to your allow list.
Defense in Depth for Every Package
Layer multiple security policies to match your organization's risk tolerance
Allow List / Deny List
Control exactly which packages your team can install. Import from requirements.txt or package.json to bootstrap your allow list. Use deny lists to block deprecated libraries or packages that fail your internal security review. Supports version constraints and wildcard matching.
Soak Time
Delay newly published package versions for 1 to 30 days before allowing installation. This gives the security community time to discover and report malicious versions before they reach your codebase.
Unmaintained Package Blocking
Automatically block packages that have not been updated in a configurable period. Abandoned packages accumulate unpatched vulnerabilities and are targets for maintainer account takeover attacks — one of the fastest-growing vectors in supply chain compromise.
Protect Your Package Ecosystems
Comprehensive security coverage for the package managers you depend on
PyPI
Python Package Index
npm
Node Package Manager
Go Modules
Go Package Registry
Typosquat Detection
AI-powered detection of malicious package name variants
Allow & Deny Lists
Fine-grained control over which packages can be installed
Soak Time Protection
Block newly published packages until they're vetted
Unmaintained Blocking
Identify and block packages with no recent updates
Ready to Secure Your Supply Chain?
Join development teams building secure software with lightweight, integrated tools