Search everything...

Stats

Actions

Available In

guard

Name: guard
Author: mauroproto

By MauroProto

Context-aware Guard integration for Claude Code sessions in pnpm and GitHub repositories.

npx claudepluginhub mauroproto/guard --plugin guard

Popularity

Stars

Above avg

Med: 0·Avg: 285

Installs

Med: 0·Avg: 1

What's Inside

Agents3

dependency-reviewer

/dependency-reviewer

Reviews dependency and lockfile changes with Guard, focusing on approvals, advisories, install/build risk, and scoped remediation.

policy-reviewer

/policy-reviewer

Reviews Guard policy changes, expirations, exceptions, and drift using policy lint and focused Guard scans.

workflow-security-reviewer

/workflow-security-reviewer

Reviews GitHub Actions changes with Guard, focusing on trust boundaries, permissions, triggers, pinning, and release posture.

Skills5

review-dependencies

/review-dependencies

Use this skill when package.json, pnpm-lock.yaml, or dependency mutation commands changed the supply-chain surface and Guard should review dependency risk.

approve-build-guided

/approve-build-guided

Use this skill when Guard reports pending build approvals and the user wants a scoped, explicit approve-build workflow.

explain-findings

/explain-findings

Use this skill when Guard emitted findings and Claude should explain the rule, evidence, blocking status, and next safe step.

scan-contextual

/scan-contextual

Use this skill when dependency, workflow, workspace, or policy files changed and Claude needs a focused Guard scan instead of a full repository scan.

workflow-audit

/workflow-audit

Use this skill when GitHub Actions workflows or CODEOWNERS changed and Claude should run a focused Guard workflow audit.

Hooks1

Event Hooks

Bash

File writes

21 hooks across 6 events

Stats

Version0.2.0

ReleasedApr 14, 2026

LanguageGo

Stars1

MaintenanceGood

LicenseMIT

Last CommitApr 14, 2026

AddedApr 14, 2026

Actions

View on GitHub View README Plugin Marketplace JSON

Own this plugin?

Verify ownership to unlock analytics, metadata editing, and a verified badge. GitHub access is read-only (username + org membership).

Available In

guard1

Safety Signals

Caution

Executes bash commands

Hook triggers when Bash tool is used

Modifies files

Hook triggers on file write and edit operations

Uses power tools

README

Guard

Supply chain security for pnpm repositories and GitHub Actions.

Guard helps teams answer one question before a dependency or CI change lands:

Can we trust this change?

It combines:

repository posture checks,
dependency and lockfile review,
workflow hardening,
policy validation and exceptions,
machine-readable output for CI and automation.

Links:

Install

Target	Install
Claude Code	`claude plugins marketplace add MauroProto/guard && claude plugins install guard@guard`
Guard CLI (Go)	`go install github.com/MauroProto/guard/cmd/guard@latest`
Guard CLI (shell)	`curl -fsSL https://raw.githubusercontent.com/MauroProto/guard/main/install.sh \| sh`
From source	`git clone https://github.com/MauroProto/guard.git && cd guard && make install`

If the Claude Code plugin cannot find the guard binary in PATH, set:

export GUARD_BIN=/absolute/path/to/guard

What Guard ships

Guard is a hybrid product:

Guard CLI stays first-class for CI, SARIF, JSON, headless scans, review-pr, baseline, and policy lint.
Claude Code plugin adds focused, contextual Guard runs inside edit sessions without replacing the CLI.

The plugin is distributed from this repository through .claude-plugin/marketplace.json, and the Claude Code plugin itself lives at:

plugins/claude-code/guard-security

Quick start

guard init
guard scan
guard fix
guard baseline record

For a PR or branch review:

guard review-pr
guard review-pr --base origin/main --head HEAD --format markdown
guard explain review.diff.install_script.added

For focused scans:

guard scan --scope workflows --format json
guard scan --scope deps --files package.json,pnpm-lock.yaml --format json
guard scan --scope policy --files .guard/policy.yaml --format json
guard scan --changed-files --format json

Claude Code plugin

The plugin is designed to be useful, not noisy.

When enabled, it reacts to the right moments:

SessionStart
- verifies Guard availability,
- detects repo root and key files,
- initializes light session state.
FileChanged
- marks deps, workflows, workspace, or policy as pending review.
PostToolUse on Write|Edit
- runs focused Guard scans in JSON mode for affected surfaces.
PreToolUse on Bash
- watches dependency mutation commands such as pnpm add, pnpm up, pnpm install, npm install, and corepack use.
Stop
- summarizes pending or blocking Guard scopes.

V1 behavior is intentionally balanced:

no full scans on every event,
no auto-fix from hooks,
no blanket Bash blocking,
no dependence on paths outside the installed plugin bundle.

One-off local plugin testing

claude --plugin-dir /absolute/path/to/guard/plugins/claude-code/guard-security

Commands

Command	Alias	Description
`guard scan`	`guard s`	Scan the repository for security issues
`guard fix`	`guard f`	Apply safe local remediations
`guard init`	`guard i`	Create or patch a secure baseline
`guard ci`	`guard c`	Strict scan mode for CI pipelines
`guard diff`	`guard d`	Compare two package versions for risk signals
`guard review-pr`	`guard review`	Review dependency and workflow changes between git refs
`guard approve`	`guard ab`	Approve a package that needs build scripts
`guard baseline record`	-	Record the current finding set as baseline debt
`guard explain`	-	Explain a rule ID or a finding fingerprint
`guard policy lint`	-	Validate policy/config semantics and deprecated fields

What it checks

Repository posture

missing pnpm-lock.yaml
missing packageManager in package.json
missing engines.node

pnpm hardening

minimumReleaseAge missing or too low
blockExoticSubdeps disabled
strictDepBuilds disabled
trustPolicy not set to no-downgrade
unapproved build scripts in allowBuilds

GitHub Actions

actions not pinned to full commit SHA
missing or overly broad permissions
missing CODEOWNERS
risky pull_request_target patterns
privileged publish workflows without attestations

Dependency review

new install scripts
suspicious remote fetch or command execution patterns
new binary files
obfuscation signals
sensitive path access like .env, .ssh, .npmrc
new OSV advisories
trust regressions surfaced by review-pr

Output formats

View full README on GitHub

guard

Popularity

What's Inside

Confidence

README

Guard

Install

What Guard ships

Quick start

Claude Code plugin

One-off local plugin testing

Commands

What it checks

Repository posture

pnpm hardening

GitHub Actions

Dependency review

Output formats

Similar Plugins

supply-chain-security

sentinel

repo-forensics

ai-security

gh-guard

supply-chain-risk-auditor

More by MauroProto

lateral-mode

Guard

Install

What Guard ships

Quick start

Claude Code plugin

One-off local plugin testing

Commands

What it checks

Repository posture

pnpm hardening

GitHub Actions

Dependency review

Output formats

Popularity

Health & Quality

More by MauroProto

lateral-mode

Similar Plugins

supply-chain-security

sentinel

repo-forensics

ai-security

gh-guard

supply-chain-risk-auditor