whatisgithub

What is chain?

zigamedved/chain — explained in plain English

Analysis updated 2026-05-18

2GoAudience · ops devopsComplexity · 2/5LicenseSetup · easy

In one sentence

A command line tool that scans your project's dependencies for known vulnerabilities, risky install scripts, missing lockfiles, and typosquatted package names before you run them.

Mindmap

mindmap
  root((repo))
    What it does
      Scan dependency risk
      Multi-project dashboard
      CI security gate
    Tech Stack
      Go
      CLI
      OSV.dev
    Use Cases
      Check CVEs before install
      Flag risky install scripts
      Detect typosquatting
    Audience
      Developers
      Ops and DevOps
    Checks
      Lifecycle scripts
      Missing lockfiles
      Known vulnerabilities

Code map

Detail Auto

An interactive map of this repo's files and how they connect — its source is parsed live in your browser. Click Visualize to build it.

filefunction / class

What do people build with it?

USE CASE 1

Check a project's dependencies for known CVEs before installing them.

USE CASE 2

Spot npm packages that run suspicious scripts automatically during install.

USE CASE 3

Add a dependency risk gate to a CI pipeline that fails builds on high severity findings.

USE CASE 4

Detect typosquatted package names before they get installed by mistake.

What is it built with?

GoCLIOSV.dev

How does it compare?

zigamedved/chainanomalroil/1keydanterolle/loqi
Stars222
LanguageGoGoGo
Last pushed2019-05-17
MaintenanceDormant
Setup difficultyeasymoderatemoderate
Complexity2/53/52/5
Audienceops devopsops devopsdeveloper

Figures from each repo's GitHub metadata at analysis time.

How do you get it running?

Difficulty · easy Time to first run · 5min

Install via Homebrew or go install, then chain init walks through picking which project folders to scan.

MIT licensed, free to use, modify, and include in commercial projects as long as the copyright notice stays intact.

So what is it?

chain is a command line tool that checks how risky your project's dependencies are before and after you install them. It looks across all your projects at once and gives a quick dashboard showing how many packages each one uses, whether a lockfile exists, and whether anything looks suspicious. It focuses on four kinds of risk. First, lifecycle scripts, which are pieces of code that packages can run automatically during install, something that could be used to run malicious code on your machine without you noticing. Second, known security vulnerabilities, checked against the public OSV.dev database, covering npm, Go modules, and Python's PyPI. Third, missing lockfiles, since without one an install can quietly pull in different package versions than the ones that were actually tested. Fourth, typosquatting, where a package name is suspiciously close to a popular one, a common trick attackers use to trick people into installing the wrong package. The tool works through a few simple commands. Running chain alone shows the dashboard across every project it knows about. Chain preview looks closely at one project, listing lifecycle scripts and vulnerabilities before you even run npm install. Chain audit is meant for continuous integration pipelines, exiting with an error code if it finds anything above a chosen severity level, so a bad dependency can block a build automatically. Chain init walks a user through picking which project folders to scan the first time they set it up. For each type of problem it finds, the readme also explains what to actually do about it, like upgrading a package, pinning a safe version with an override, committing a lockfile, or removing a package that turns out to be a typosquat. It installs through Homebrew or by building from source with Go, requires no account or API key for its vulnerability checks, and can run fully offline if needed. It is released under the MIT license.

Copy-paste prompts

Prompt 1
Help me install chain and run it against all my project directories.
Prompt 2
Show me how to add chain audit as a security gate in my GitHub Actions workflow.
Prompt 3
Explain what a HIGH severity signal in chain's dashboard means and how to fix it.
Prompt 4
Walk me through remediating a postinstall lifecycle script flagged by chain.

Frequently asked questions

What is chain?

A command line tool that scans your project's dependencies for known vulnerabilities, risky install scripts, missing lockfiles, and typosquatted package names before you run them.

What language is chain written in?

Mainly Go. The stack also includes Go, CLI, OSV.dev.

What license does chain use?

MIT licensed, free to use, modify, and include in commercial projects as long as the copyright notice stays intact.

How hard is chain to set up?

Setup difficulty is rated easy, with roughly 5min to a first successful run.

Who is chain for?

Mainly ops devops.

Open on GitHub → Ask about another repo

This repo across BitVibe Labs

Verify against the repo before relying on details.