Know What Runs
Before You Run It.
Sandtrace audits dependencies, generates CycloneDX SBOMs, and gives teams a safer way to review package risk before it spreads across laptops or CI.
$ sandtrace audit . --severity medium
✓ Scanning packages, scripts, and suspicious patterns...
$ sandtrace sbom . --output sandtrace.bom.json
✓ Emitting CycloneDX inventory for cloud history...
Status: findings and inventory ready for review
How It Works
Three steps to turn dependency changes into reviewable security evidence.
Scan the repo for risky packages, suspicious install scripts, and obfuscation patterns before they land in a branch or release.
$ sandtrace audit . --severity medium
✓ 3 findings flagged
$ sandtrace sbom . --output sandtrace.bom.json
✓ CycloneDX SBOM written (142 components)
Build a CycloneDX inventory from the repo so the team can track what packages and versions shipped on each commit.
sandtrace.bom.json
{
"bomFormat": "CycloneDX",
"components": 142,
"serialNumber": "urn:uuid:..."
}
Upload audits and SBOMs to the cloud for shared history, package diffs, and dependency security alerts.
cloud dashboard
Project: acme/api
Last audit: 2 min ago
Findings: 3 medium
SBOM drift: +2 packages
What Teams Can See
High-signal audit findings and SBOM history that security teams can actually use.
$ sandtrace audit . --severity low
✓ Scanning 142 packages across 3 lockfiles...
Findings:
MEDIUM postinstall script in [email protected]
Executes: node scripts/install.js
MEDIUM obfuscated source in [email protected]
Detected: base64 decode + eval pattern
HIGH typosquat match for [email protected]
Similar to: cross-env (Levenshtein: 1)
3 findings · 139 packages clean
SBOM: sandtrace.bom.json (CycloneDX 1.5)
-
Dependency Audit Findings
Flag suspicious packages, risky install hooks, typosquats, and obfuscated source before those changes land in a build.
-
CycloneDX Inventory
Generate SBOMs from npm, pnpm, yarn, Composer, Cargo, Python, Java, Go, and more using one command.
-
Commit-to-Commit Diffs
See exactly which packages were added, removed, or changed between commits instead of diffing lockfiles by hand.
-
Security Alerts
Turn vulnerable package changes and dependency drift into team-visible alerts and historical evidence.
-
Historical Coverage
Store audits and SBOMs across repos, developers, and CI runs so security can answer what shipped and when.
-
Compliance Exports
Export findings, inventory history, and package-change evidence for customer reviews, internal audits, and SOC 2 support.
Open Source + Cloud
Open source auditing locally. Cloud for teams that need shared inventory, history, and alerts.
Free Forever
- Audit findings in JSON and SARIF
- CycloneDX SBOM generation across major ecosystems
- Obfuscation and supply-chain scanning
- Community support
- MIT licensed
Team Visibility
- Shared project dashboard for audits and SBOMs
- Commit-level inventory and package diffs
- Security alerts and evidence exports
- Org access control, API keys, and billing
Built by
Closed Circuit Inc
We build security tools for real incident response. Sandtrace is open source because supply chain defense should be observable before it becomes expensive.
Turn Every Install Into Evidence
Start locally with the CLI, then move the risky events and verdicts your team actually needs into Sandtrace Cloud.
$ git clone https://github.com/sandtrace/sandtrace.git
$ cd sandtrace && cargo build --release
$ ./target/release/sandtrace audit . --severity medium
$ ./target/release/sandtrace sbom . --output sandtrace.bom.json