⚠️ ARCHIVED: This project is no longer maintained. We recommend using OSV Scanner instead, which provides comprehensive vulnerability scanning across multiple ecosystems with active support and regular updates.
A fast, parallelized security scanner for detecting infected packages in lockfiles.
Fremen is a security tool designed to scan your project's lockfiles for known malicious package versions. It helps protect your supply chain by identifying compromised dependencies before they are installed or deployed.
It currently supports:
- npm (
package-lock.json) - Yarn (
yarn.lock) - pnpm (
pnpm-lock.yaml)
Fremen is designed for performance, utilizing parallel execution to scan large directories and monorepos efficiently.
- This project is based on the work of Cobenian/shai-hulud-detect.
- It uses the same database format for identifying vulnerable package versions.
This tool is developed and tested primarily on UNIX-like systems (Linux, macOS). The code has been written with the help of AI tools.
- Go 1.25+ installed on your system. You can download it from go.dev.
-
Download the binary from the Releases page
-
Download or create a
database.txtfile containing the list of infected packages. By default, Fremen looks fordatabase.txtwhere the script is located.
Run the scanner against your project directories:
./fremen [paths...]-
Recursive Scan: Scan the current directory and all subdirectories.
./fremen -r
-
Include Ignored Directories: By default,
.gitandnode_modulesare ignored. You can include them if needed:./fremen -r --include-git --include-node-modules
-
Specify Database: Use a custom database file.
./fremen -d /path/to/database.txt
-
Full Report: Show all projects, including clean ones.
./fremen --full-report
-
JSON Output: Generate a machine-readable JSON report.
./fremen --json
For a full list of options, run:
./fremen --helpBug reports, feature requests, other issues and pull requests are welcome. See CONTRIBUTING.md for more information.
Distributed under the MIT License. See LICENSE for more information.