Layer 1 — Gate
A local proxy scores every package on more than 20 supply-chain signals before it downloads. Below the threshold and the install is refused — the package never reaches your disk.
Capabilities
Three layers. One install path.
Every package manager.
Veln intercepts your installs — npm, pip, cargo, go, mvn, and more — at three independent points: pre-download, post-resolution, and post-install. Each layer alone catches a different class of attack. All three together cover the way every major supply-chain incident from the last five years actually played out.
20+ trust signals
scored at the gate before any byte downloads
14 package managers
npm · yarn · pnpm · bun · pip · pip3 · uv · pipx · go · bundle · cargo · dotnet · mvn · gradle
3 OS sandboxes
Linux · macOS · Windows — same protection, OS-native
Three layers, three independent checks
Each layer runs on its own. If one misses, the next catches it.
Layer 2 — Integrity
A signed local fingerprint database catches packages that silently change bytes, swap maintainers, or rearrange files between versions. Rows are Ed25519-signed; tampering with the on-disk store is detected at startup.
Layer 3 — Sandbox
Every install command runs in OS-native isolation. Postinstall scripts can’t write outside the project folder or reach the network — your OS enforces it, not a config file.
Layer 1 — Gate
The proxy scores every package on more than 20 signals across six categories before it downloads. A low score refuses the install — your package manager reports a clean refusal, the package never lands on disk.
Known vulnerabilities
Cross-reference every package against the OSV vulnerability database and check npm publish attestations.
Install scripts
Detect risky postinstall scripts that download payloads, exfiltrate data, fire on a schedule, or hide intent with unicode tricks.
Version-to-version changes
Flag a package that goes quiet for months then suddenly publishes. Catch new maintainers, license flips, and file-layout rewrites between releases.
Suspicious source code
Spot obfuscated payloads, runtime-decoded execution, and code gated to run only in specific build or production environments — the classic “benign on dev, malicious in production” pattern.
Hidden binaries
Inspect any native executable shipped inside a package and flag the ones that try to make outbound network calls.
Authenticity
Catch typosquats of popular packages and dependency-confusion attacks against your protected internal scopes.
Capability & permission creep
Inventory what a package can do — network, filesystem, shell, environment, dynamic code — and flag a version that gains a capability earlier releases never had.
Telemetry & data exfil
Catch phone-home telemetry, secrets shipped inside the package, and payloads that only fire for specific regions — the “quiet exfil” class of attack.
Layer 2 — Integrity
Every package you install is fingerprinted three ways and stored in a signed local database. Rows are Ed25519-signed at write time so tampering with the on-disk store is detected at startup. If the same version ever silently changes bytes, swaps maintainers, or rearranges its files — the next install catches it.
Byte integrity
Same package version with different bytes? Install blocked. Catches registry tampering and binary swaps.
Structural drift
Maintainer changed between versions, or the file layout rearranged itself? Surfaces immediately on the next install.
Cooling windows
Refuse to install versions younger than your configured age threshold. Filters out brand-new releases that haven’t been vetted yet.
Layer 3 — OS sandbox
Run veln wrapper on once. Every package-manager invocation routes through an OS-level sandbox that contains postinstall scripts at the kernel layer — not at the npm-config layer.
Linux · modern Linux
Filesystem. Writes outside the project folder and its caches are blocked by the kernel — postinstall scripts can’t touch your home directory or system files.
Network. On recent kernels, network access is restricted to the local Veln gate. Everything else is refused.
macOS · macOS 12+
Filesystem. Built on Apple’s sandbox framework — the same isolation Chrome and Safari use for their own helper processes.
Network. Outbound network is denied except to the local Veln gate.
Windows · Windows 10 / 11
Filesystem. Install scripts run inside a Job Object with a restricted access token (Integrity Level Low), a capped active-process count, per-process memory limit, and UI restrictions that block clipboard read/write, system-parameter changes, exit-windows, and display-settings access. During the run, a short-lived deny ACE is layered onto your credential stores (~/.aws, ~/.ssh, ~/.config/gh, ~/.npmrc, ~/.netrc, ~/.docker, ~/.kube, ~/.azure, ~/.gnupg) so a postinstall can't exfiltrate them — the ACE is removed when the sandbox exits.
Network. Install-script outbound traffic is routed through the local Veln gate via env-proxy override. Full network-namespace isolation (AppContainer) is on the roadmap; today, proxy-aware tools route through the gate and raw-socket traffic to non-loopback hosts is not blocked at the sandbox layer.
Beyond blocking — policy & workflow
The three layers stop bad packages. These turn that into a program you can govern: a bill of materials, rules you own, a way to acknowledge what you've reviewed, and the focus to act on what your code actually reaches.
SBOM export
Emit a CycloneDX or SPDX software bill of materials for any project — standalone (veln sbom) or embedded in a verify run.
Policy-as-code
Author your own allow / warn / block rules in veln.toml. They apply in veln verify AND at the gate, so a rule you write is enforced at install time too.
Suppressions & VEX
Acknowledge a reviewed finding with veln allow — whole-package or per-CVE, with a reason and optional expiry. OpenVEX-compatible, so it interoperates with Trivy / Grype.
Reachability
With -reach, downgrade a finding when no project source imports the package, or — for ecosystems with symbol data — when your code never calls the vulnerable function.
Triage commands
explain shows why a package is in your tree, fix proposes the lowest safe version bump, and diff compares two verify snapshots for added packages, score deltas, and decision flips.
Output & console
Every command emits machine-readable JSON with meaningful exit codes for your own scripts, and a local console keeps the full per-package finding history for your org.
Every package manager, one install
veln wrapper on wraps all fourteen binaries. Your existing commands transparently route through the gate and the sandbox.
JavaScript
- Managers
- npm · yarn · pnpm · bun
- Interception
NPM_CONFIG_REGISTRY- Lockfiles
- package-lock.json · npm-shrinkwrap.json · yarn.lock · pnpm-lock.yaml
Python
- Managers
- pip · pip3 · uv · pipx
- Interception
PIP_INDEX_URL · UV_INDEX_URL- Lockfiles
- requirements.txt · poetry.lock · uv.lock
Go
- Managers
- go
- Interception
GOPROXY- Lockfiles
- go.sum · go.mod
Rust
- Managers
- cargo
- Interception
CARGO_HOME source-replace (dual-origin gate)- Lockfiles
- Cargo.lock
Ruby
- Managers
- bundle
- Interception
bundler mirror- Lockfiles
- Gemfile.lock
.NET
- Managers
- dotnet
- Interception
nuget.config source (V3 index rewrite)- Lockfiles
- packages.lock.json
JVM
- Managers
- mvn · gradle
- Interception
MAVEN_ARGS mirror · GRADLE_USER_HOME init-script (dual-origin gate)- Lockfiles
- gradle.lockfile · verification-metadata.xml
Honest scope
Three things are out of reach for any install-time tool, and we say so up front: runtime activation (once your app require()s a package, the sandbox doesn’t apply), build-output poisoning (a malicious bundler plugin can rewrite dist/ inside the project dir), and zero-day source vulnerabilities (we know what OSV knows). For all three, Layer 1 is the primary defense — it blocks the package before any of those moments happen.
Two lines, once per machine.
After that, your existing npm install and pip install workflows route through Veln transparently. Nothing else changes.