What's new
Zyrax Guard now plugs straight into CI and installs in one line.
GitHub Action
Gate every pull request. Drop Guard into a workflow and it checks the dependencies a PR adds. If one is a typosquat, known malware, a hallucinated name, or ships a risky install script, the check fails before it merges. Works with npm, PyPI, and crates.io.
- uses: actions/checkout@v4
with: { fetch-depth: 0 }
- uses: tiagosilva07/zyrax-guard@v0
with:
ecosystem: npm # npm | pypi | cratesOne-line install (Linux / macOS)
curl -fsSL https://raw.githubusercontent.com/tiagosilva07/zyrax-guard/main/scripts/install.sh | shDownloads the signed binary for your OS/arch and verifies its SHA-256 (and the cosign signature when cosign is on your PATH).
Verify
Every binary is signed with keyless cosign and SLSA build provenance, and an SPDX SBOM is attached:
cosign verify-blob --bundle zyrax-guard-linux-amd64.cosign.bundle zyrax-guard-linux-amd64Supersedes v0.6.0 (action description shortened to meet the Marketplace 125-character limit; no CLI behavior change).