OP here. Sharing this early because I'm trying to gauge if this specific pain point is widespread, or if I'm just scratching a niche itch.
Context: I’ve been working in a regulated monorepo and realized that almost all existing supply chain tools assume you are a large enterprise with dedicated infrastructure.
The gap I found:
Scanners are reactive (they yell at you after the fact).
Artifactory/Nix are heavy (they require rebuilding your workflow or hosting servers).
I wanted something in the middle. The idea is a lightweight CLI that acts as a local proxy to gate npm/cargo/go requests against policies stored directly in git. It forces "lockfile intent" (what the dev wants) to match "security policy" (what the repo allows) before the package hits the host.
The mechanism I'm most interested in feedback on is the enforcement logic: sbom check --policy-from=origin/main
This allows the CLI to judge the "crimes" on your feature branch against the "laws" defined in main. It effectively prevents a developer from un-banning a vulnerable package in the same PR that introduces it.
Does this "local proxy" approach feel like the right middle ground to you, or is the overhead of a proxy too much for a daily driver?
mohamedattahri•1d ago
Context: I’ve been working in a regulated monorepo and realized that almost all existing supply chain tools assume you are a large enterprise with dedicated infrastructure.
The gap I found:
Scanners are reactive (they yell at you after the fact).
Artifactory/Nix are heavy (they require rebuilding your workflow or hosting servers).
I wanted something in the middle. The idea is a lightweight CLI that acts as a local proxy to gate npm/cargo/go requests against policies stored directly in git. It forces "lockfile intent" (what the dev wants) to match "security policy" (what the repo allows) before the package hits the host.
The mechanism I'm most interested in feedback on is the enforcement logic: sbom check --policy-from=origin/main
This allows the CLI to judge the "crimes" on your feature branch against the "laws" defined in main. It effectively prevents a developer from un-banning a vulnerable package in the same PR that introduces it.
Does this "local proxy" approach feel like the right middle ground to you, or is the overhead of a proxy too much for a daily driver?