Add Aikido Safe Chain for malware protection in CI/CD #64
Description
Overview
Please create ".github/workflows/malware-safe-chain.yml" similar to the following PR changes to this project as part of the security measures against npm malware.
🔒 Security Enhancement: Aikido Safe Chain Integration
This PR adds Aikido Safe Chain to our GitHub Actions workflows to protect against malicious packages during dependency installation.
What is Aikido Safe Chain?
Aikido Safe Chain is a free security tool that prevents developers from installing malware through package managers. It wraps around package manager commands and verifies packages against Aikido Intel - Open Sources Threat Intelligence before installation.
Key Features
- ✅ Free to use - No tokens or authentication required
- 🛡️ Malware detection - Blocks malicious packages before installation
- 🔍 Threat intelligence - Uses open source threat data to identify risks
- 📦 Multi-package manager support - npm, pnpm, yarn, npx, pnpx
- 🚀 Node.js 18+ compatible
Current Implementation
- Created new workflow:
.github/workflows/safe-chain.yml - Installs
@aikidosec/safe-chainglobally in CI environment - Runs
safe-chain setup-cibefore dependency installation - Protects
pnpm installcommands from malicious packages
Note on pnpm Support
Currently, Aikido Safe Chain offers limited scanning for pnpm (scans install command arguments). Full dependency tree scanning for pnpm is coming soon according to the official roadmap.
References
Testing
The workflow will run automatically on this PR to verify the integration works correctly.