Guardrail wraps your package manager and checks every package against the OSV vulnerability database — before it touches your lockfile, before code review, before CI. Shift-left security that fits in your existing workflow.
Most security tools run too late. Guardrail runs first.
By the time a lock file scanner runs, the vulnerable package is already committed. Guardrail stops it the moment you type npm install — before anything lands in your repo.
Queries the open-source OSV vulnerability database — the same data behind GitHub's Dependabot. No account required, no API key, no rate limits.
Results are cached locally for 24 hours. After the first check, repeated installs of the same package are instant. Point the cache at a shared NFS path to share it across your whole team.
Optional Claude-powered analysis checks whether your code actually calls the vulnerable function before blocking. Reduces false positives without compromising security.
Guardrail doesn't just report — it tells you the minimum safe version to install. When no patch exists, it finds the last version that predates the vulnerability.
Reviewed a CVE and accepted the risk? Add an ignore rule with a reason and optional expiry date. Rules auto-expire so accepted risks get re-evaluated over time.
Five steps between your command and the real package manager.
Guardrail reads the package names from your install command and resolves any missing versions from the package registry.
Each package is looked up in the local cache. Results less than 24 hours old are used immediately — no network call needed.
Cache misses are batched into a single request to the OSV API. Results are saved to the local cache for next time.
CVEs are matched against your severity threshold and ignore rules. A full report is printed to the terminal.
If any package is blocked, the install exits. Otherwise Guardrail hands off to the real package manager — completely transparent to your workflow.
One binary. No runtime dependencies.
brew install ChengaDev/tap/grail
A minimal, auditable stack.