@westbayberry/dg

Supply chain security scanner for npm and Python dependencies. Scans lockfile changes against 26+ detectors to catch malicious packages, typosquatting, dependency confusion, credential theft, and obfuscated code before they reach production.

Install

npm install -g @westbayberry/dg

Requires Node.js 18+.

Quick Start

dg login
dg scan

The CLI walks your directory tree and finds npm lockfiles (package-lock.json, yarn.lock, pnpm-lock.yaml) and Python dependency files (requirements.txt, Pipfile.lock, poetry.lock). If multiple projects are found, an interactive selector lets you pick which ones to scan.

Only changed packages are scanned by default — dg diffs your lockfile against the git merge-base with main to find what's new or updated.

Commands

dg scan [options]        Scan dependencies for supply chain threats
dg npm install <pkg>     Scan packages before installing them
dg login                 Authenticate with your WestBayBerry account
dg logout                Remove saved credentials
dg hook install          Install git pre-commit hook
dg hook uninstall        Remove the pre-commit hook
dg update                Check for and install the latest version
dg wrap                  Show instructions to alias npm to dg

What It Detects

Each package is analyzed by 26+ detectors covering:

| Category | Examples | |----------|----------| | Code execution | child_process spawning, eval/Function calls, shell command injection | | Network exfiltration | HTTP/WebSocket/DNS/gRPC calls, URL obfuscation, data exfil patterns | | Credential theft | Reading SSH keys, browser tokens, cloud credentials, .npmrc/.pypirc | | Install scripts | Suspicious preinstall/postinstall hooks, download-and-execute chains | | Obfuscation | Hex/unicode encoding, string reconstruction, phantom eval, minified payloads | | Supply chain | Typosquatting, dependency confusion, version squatting, borrowed repo URLs | | Persistence | Writing to shell configs, cron jobs, systemd units, SSH authorized_keys | | Behavioral | Time-gated payloads, purpose mismatch, runtime evasion, binary addons | | Reputation | Missing/fake GitHub repos, ghost packages, low download counts |

Findings include severity (1–5), confidence (0–1), and code evidence with file paths and line numbers.

Scan Options

| Flag | Default | Description | |------|---------|-------------| | --mode <mode> | warn | block / warn / off | | --block-threshold <n> | 70 | Score threshold for blocking (0–100) | | --warn-threshold <n> | 60 | Score threshold for warnings (0–100) | | --max-packages <n> | 200 | Max packages per scan | | --allowlist <pkgs> | | Comma-separated packages to skip | | --json | | Output raw JSON (for CI parsing) | | --scan-all | | Scan all packages, not just changed | | --base-lockfile <path> | | Explicit base lockfile for diff | | --workspace <dir> | | Scan a specific workspace subdirectory | | --debug | | Show discovery, batching, and timing info |

Exit Codes

| Code | Meaning | CI Action | |------|---------|-----------| | 0 | Pass | Continue | | 1 | Warning | Advisory — review recommended | | 2 | Block | Fail the pipeline | | 3 | Error | Internal error (auth, network, etc.) |

Configuration

Settings can come from CLI flags, environment variables, or a .dgrc.json config file (searched in the current directory, then ~/). CLI flags take highest precedence.

.dgrc.json

{
  "apiKey": "dg_...",
  "mode": "block",
  "blockThreshold": 70,
  "warnThreshold": 60,
  "maxPackages": 200,
  "allowlist": ["known-safe-pkg"]
}

Environment Variables

| Variable | Description | |----------|-------------| | DG_API_URL | API base URL | | DG_MODE | block / warn / off | | DG_ALLOWLIST | Comma-separated allowlist | | DG_DEBUG | Set to 1 for diagnostic output | | DG_WORKSPACE | Workspace subdirectory |

CI Setup

GitHub Actions

- name: Scan dependencies
  run: |
    npx @westbayberry/dg login
    npx @westbayberry/dg scan --mode block --json

Any CI

npx @westbayberry/dg login
npx @westbayberry/dg scan --mode block --json

The --json flag outputs machine-readable results. Exit code 2 signals a blocked scan — wire it into your pipeline to fail the build.

Monorepo / Workspace

Scan a specific workspace:

dg scan --workspace packages/api

Or let dg discover all projects and pick interactively.

Git Hook

Block commits that introduce risky dependencies:

dg hook install

This adds a pre-commit hook that runs dg scan --mode block whenever a lockfile is staged. If any package scores above the block threshold, the commit is rejected. Remove it with dg hook uninstall.

npm Wrapper

Scan packages before they're installed:

dg npm install express lodash

Packages are resolved and scanned through the API. If a package is blocked, you'll get a confirmation prompt — press y to install anyway, or use --dg-force to skip the prompt.

To make this the default for all npm install commands:

echo 'alias npm="dg npm"' >> ~/.zshrc

Python Support

Python projects are detected alongside npm. The scanner reads:

• requirements.txt — name==version pins
• Pipfile.lock — default and develop sections
• poetry.lock — [[package]] entries

Python packages are analyzed through the same detection engine against the PyPI registry.

Links

• Dashboard
• Documentation
• Pricing