In the last few months, npm supply chain attacks have increased a lot, and the only suggestion I kept hearing was,
"Just be careful about what you install."
The problem is that modern JavaScript projects can easily depend on hundreds or even thousands of packages. Most developers don't have the time to manually inspect every dependency before running npm install.
That got me thinking:
What if we could watch a package behave before trusting it?
That's why I built GoAudit.
GoAudit is an open-source security tool that executes npm packages inside an isolated sandbox and observes their behavior.
Instead of only looking at source code or known vulnerability databases, GoAudit watches what a package actually does when it runs.
Check it out here: Website
Source code: Github repo
The goal is simple:
Audit first. Trust later.
When GoAudit analyzes a package, it:
- Creates a fully isolated sandbox using gVisor (
runsc) - Installs the package inside the sandbox
- Executes the package
- Sets up honeypot files and monitoring points
- Tracks how the package behaves during execution
- Generates a report of suspicious activity
This allows GoAudit to catch behaviors that may not be obvious from a quick code review.
Some examples include:
- Unexpected file access
- Network connections
- Credential harvesting attempts
- Suspicious install scripts
- Runtime behavior that deserves investigation
Example Usage
Audit a package before installing it on your system:
goaudit scan "npm install package-name"
GoAudit will create an isolated environment, run the installation, execute the package, and monitor what happens.
Works With Multiple Package Managers
GoAudit currently supports:
- npm
- pnpm
- Bun
This makes it easy to integrate into existing JavaScript and TypeScript workflows.
Scanning Entire Projects
Sometimes the risk isn't a single package.
It's the hundreds of dependencies hiding inside a project.
For that reason GoAudit includes project-wide scanning:
In your project's directory simple run:
goaudit scan-project .
This analyzes dependencies across the entire project and helps identify packages that deserve closer inspection.
CI-Friendly Output
Security checks are most useful when they're automated.
GoAudit includes a CI mode that outputs structured JSON:
goaudit scan --ci
This makes it easy to integrate with GitHub Actions, GitLab CI, Jenkins, or any other automation pipeline.
Why I Built It
I wanted something that could answer a simple question:
"If I run this package, what does it actually do?"
Most tools focus on known vulnerabilities.
GoAudit focuses on behavior.
By observing packages inside an isolated environment, developers can gain another layer of confidence before introducing new code into their systems.
Current Status
GoAudit is currently in v0.1.0.
It's still early, and there is plenty of work ahead:
- Better detection capabilities
- Faster scans
- More package ecosystem support
- Improved reporting
- Community feedback and contributions
GoAudit is an early project and I'd love feedback from developers, security researchers, and open-source contributors.
If you've ever worried about what an npm package might do after installation, I'd be interested to hear what features you would want from a tool like this.
Thanks for reading.
Top comments (0)