BinShield is an npm-first supply-chain binary scanner. This repo contains the public search app, SaaS API, analysis worker, GitHub Action, and shared analysis/risk packages in one monorepo.
apps/web: Next.js app for the public database and authenticated dashboardapps/api: Hono API for package search, scan submission, org workflows, API keys, and billing stubsapps/worker: analysis orchestration, package acquisition, binary extraction, fingerprinting, and provider adaptersapps/github-action: GitHub Action that discovers npm targets, queries the API, and enforces policypackages/analysis-types: shared domain schema, seeded demo corpus, and route contractspackages/risk-engine: deterministic risk scoring and aggregation helperspackages/config: shared environment parsing and product constantssupabase/migrations: initial schema and RLS foundations
- Web: Next.js 15 App Router
- API: Hono on Node
- Database/Auth: Supabase Postgres/Auth
- Queue: BullMQ-compatible queue interface
- Workers: Ghidra headless runners plus LLM classification
- Install dependencies with
pnpm install. - Copy env examples for each app.
- Run
pnpm devfor the web app andpnpm --filter @binshield/api devfor the API. - Run
pnpm testfor shared package coverage.
The repo intentionally ships with a polished fallback path so product work can continue before live infrastructure is wired:
- the web app can render from the seeded analysis corpus when the API is unavailable
- the API can run against its local repository mode when Supabase is not configured
- the worker can analyze the bundled fixture package when live providers are unavailable
This keeps the package-intelligence surface, dashboard shell, and CI integration demonstrable even before production credentials are connected.