Features

ShieldedStack: Intelligent Supply Chain Security

ShieldedStack is a high-performance proxy that inspects all package downloads, blocking malicious or vulnerable packages before they reach your developers. Combined with a centralized control plane, it delivers real-time visibility, policy enforcement, and risk-based security — all without disrupting your team’s workflow.

  • Real-time CVE scanning & blocking
  • Proxy Modes: TrustThenVerify & VerifyThenTrust
  • Allow & deny lists configurable via control plane
  • Centralized dashboard for package stats & CVE reports
  • Risk scoring based on package age, last commit, and metadata
  • Supports PyPI, npm, NuGet; expanding to Maven, RubyGems, Cargo, and more
  • Advisory integrations from OSV, Snyk, and GitHub

Proxy Modes & Enforcement

ShieldedStack enforces package security by blocking vulnerable packages, with exceptions for allowlisted packages:

  • Packages with known vulnerabilities at or above the configured block severity level are always blocked, unless explicitly allowlisted.
  • The proxy mode controls how new packages without known vulnerabilities are handled:
    • TrustThenVerify: New packages are allowed on first request and scanned afterward. If vulnerabilities are later discovered above the block level, future requests will be blocked.
    • VerifyThenTrust: New packages are scanned before allowing the first download and blocked immediately if vulnerabilities are detected above the block threshold.
  • The allowlist overrides blocking — packages explicitly allowlisted bypass vulnerability checks and are always allowed.

Control Plane & Configuration

The ShieldedStack control plane provides centralized configuration management, monitoring, and analytics:

  • Manage allow and deny lists to customize package policies per your organization’s needs.
  • View aggregated statistics on package downloads, usage patterns, and vulnerability trends.
  • Generate risk reports highlighting problematic packages and dependencies.
  • Configure package manager support and integrations via an easy-to-use dashboard.

Package Manager Support

ShieldedStack currently supports Python’s PyPI, JavaScript’s npm, and .NET’s NuGet package managers. Support for Maven, RubyGems, Cargo, and others is planned to ensure comprehensive supply chain protection.

Advisory Integrations

ShieldedStack integrates vulnerability data from the Open Source Vulnerability database (OSV), Snyk, and GitHub advisories, ensuring you have the most up-to-date security intelligence.

Recursive Vulnerability Checking

Our proxy performs deep recursive scans through package dependency trees, identifying vulnerabilities not only in direct dependencies but also in nested ones, giving you thorough protection.