I've been building Marshal in public for the last few weeks. It's shipped now.
It's a behavioral supply-chain scanner for JVM dependencies. Rather than checking a vulnerability database, it looks at how a package changed since its last release. The signal I trust most is a dropped GPG signature: a library that was signed for years and then ships one unsigned release. That happened during the old Sun-to-Oracle handoff of javax.activation, and it's exactly the kind of thing a CVE scanner never sees.
The CLI and GitHub Action are open source under Apache 2.0. Maven today, with Gradle, npm, and PyPI planned.
Repo and docs: github.com/marshal-hq/marshal
If you run it on a real project, tell me where it gets things wrong. False positives are what I care about most right now.
Top comments (0)