Behavioral Package Security
Sandtrace is a lightweight, Rust-based dependency security tool. Run audits and generate SBOMs locally, then send the findings and inventory to the cloud when your team needs shared visibility.
CLI Features
One binary. Seven scanners. Every major package ecosystem.
$ sandtrace audit . --severity medium
✓ Scanning 7 detection modules...
✗ HIGH postinstall hook in [email protected]
npm · supply-chain · malicious install script
! MED base64 payload in utils/config.js:42
shai-hulud · whitespace-encoded eval()
! MED unauthorized MCP server in .cursor/config
mcp-monitor · embedded prompt injection
✓ credential scan clean (9 providers checked)
✓ git template analysis clean
3 findings · 847 packages · 1.2s
-
Dependency Auditing
Scan npm, pnpm, yarn, composer, cargo, Python, Java, Go, and more for suspicious packages, obfuscation, and risky install behavior.
-
Supply Chain Scanning
Detect typosquatted npm packages, malicious postinstall scripts, and dependency confusion attacks before they execute.
-
MCP Config Monitoring
Watch Claude, Cursor, Continue, and Windsurf config files for unauthorized MCP server entries with embedded prompt injections.
-
Credential Detection
Find exposed API keys, tokens, and secrets across .env files, config directories, and environment variables for 9+ LLM providers.
-
Git Template Analysis
Detect Module._compile() injection and suspicious global init.templateDir modifications that hook into every git operation.
-
CycloneDX SBOM Output
Emit inventory snapshots for package ecosystems across the repo so teams can diff and review what changed on each commit.
-
Shai-Hulud Detection
Catch whitespace-encoded attacks and base64 payloads hidden in source files with tuned false-positive reduction.
Cloud Features
LiveProject Dashboard
Centralized view of audit uploads, SBOM history, package counts, and recent activity across your engineering team.
Inventory and Diffing
Track package history over time, compare commits, and see exactly which dependencies were added, removed, or changed.
Security Alerts
Surface vulnerable package changes and direct dependency shifts without requiring teams to inspect every raw lockfile diff.
Compliance Reports
Generate audit-ready reports showing coverage, inventory history, and remediation timelines for SOC 2 and other frameworks.
One-Click AI Upgrade Prompt
When Sandtrace finds vulnerable packages in your SBOM, it generates a ready-to-paste prompt for Claude Code, Cursor, or Copilot. Click the button, paste into your editor, and let AI handle the upgrade.
- 1. Sandtrace scans your SBOM against the OSV vulnerability database daily
- 2. Vulnerable packages are flagged with severity, CVE IDs, and dependency paths
- 3. Click "Copy AI Upgrade Prompt" to get a structured prompt with all the context your AI editor needs
Upgrade the following vulnerable packages to their latest safe versions. Project: my-web-app Commit: a1b2c3d4 Vulnerable packages: - filament/tables v5.3.2 → HIGH severity: GHSA-vv3x-j2x5-36jc (XSS in summarizer values) - league/commonmark v2.8.1 → MODERATE severity: GHSA-hh8v-hgvp-g3f5 (allowed_domains bypass) For each package: 1. Check the advisory link on osv.dev for the fixed version 2. Update the version constraint in the manifest file 3. Run `composer update` to install 4. Run the test suite to verify no breaking changes 5. If a major version bump is required, review the changelog for migration steps
Architecture
┌─────────────────────────────────────────────┐
│ Developer Machine │
│ │
│ ┌──────────┐ ┌──────────┐ ┌──────────┐ │
│ │ Credential│ │ MCP │ │ Supply │ │
│ │ Scanner │ │ Monitor │ │ Chain │ │
│ └────┬─────┘ └────┬─────┘ └────┬─────┘ │
│ │ │ │ │
│ └──────────┬───┘──────────────┘ │
│ │ │
│ ┌──────▼──────┐ │
│ │ sandtrace │ │
│ │ (Rust) │ │
│ └──────┬──────┘ │
│ │ │
└──────────────────┼────────────────────────────┘
│ (optional)
┌──────▼──────┐
│ Sandtrace │
│ Cloud │
└─────────────┘
Start Local. Scale to the Team.
Use the CLI for free, then move to Sandtrace Cloud when you need shared audit history, SBOM visibility, and evidence retention.