Pre-install security interceptor for package managers. Scans every package against the OSV vulnerability database before it hits your system.
| Ecosystem | Intercepted commands | Manifest / Lockfile |
|---|---|---|
| Python | pip, uv, poetry |
requirements.txt, pyproject.toml, uv.lock, poetry.lock |
| Node.js | npm, yarn, pnpm |
package.json, package-lock.json, yarn.lock, pnpm-lock.yaml |
| Go | go get, go mod |
go.mod, go.sum |
| Rust | cargo add, cargo build, cargo fetch, cargo check |
Cargo.toml, Cargo.lock |
Shims sit ahead of your package managers in $PATH. Every install is scanned before execution.
Run primer scan <pkg> --ecosystem <eco> to check any package on demand without installing it.
Results cached locally for 24 hours. Repeat installs are instant with stale-on-error fallback.
Local SLM generates plain-English CVE summaries. No cloud dependency, no account required.
Covers Python, Node.js, Go, and Rust out of the box — one tool across your entire stack.
Diffs the lockfile after install to scan the full dependency tree — not just the package you named. Opt out per-command with --direct-only.
primer watch monitors manifests for changes and auto-scans on save. Debounced, cross-platform, and exits cleanly on Ctrl+C.
primer sbom emits a CycloneDX or SPDX Software Bill of Materials enriched with OSV vulnerability data.
primer scan --file audits existing packages and prints a ready-to-run fix command (npm install pkg@fixed, pip install "pkg>=fixed") for every patched vulnerability.
Install the primer GitHub App on any repository. Every push and pull request is scanned automatically — no workflow file, no CLI install, no configuration. primer posts a Check Run and PR comment on every event.
One step to install, scan, upload SARIF to the Security tab, and comment on the PR.
An opt-in pre-commit hook that scans staged manifest changes before a commit lands. Run once per repo. Works alongside the shim — the hook catches issues at commit time; the shim catches them at install time.
Add primer as an MCP tool so your AI coding agent queries vulnerability data before suggesting a package install. Add to your project's .mcp.json:
Run primer init once per machine. After that, npm install, pip install, cargo add, and go get are intercepted and scanned transparently — no changes to existing scripts or workflows.
Run in the background during a dev session. Re-scans manifest files automatically on save — 500 ms debounce, cross-platform, exits cleanly on Ctrl+C.
Generate a machine-readable inventory of all packages in a manifest or lockfile, enriched with OSV vulnerability data. Outputs CycloneDX v1.5 (default) or SPDX 2.3.
Protect a repository via GitHub Actions in five minutes — no local install required.
Install the shim layer on your machine so every package install is scanned automatically.
All ~/.primer/config.toml keys, the policy file schema, and the .primer/ directory layout.
Every command, flag, exit code, and environment variable.
GitHub Actions, Git hooks, SBOM generation, directory watcher, and MCP server.
Local SLM summaries with SmolLM2 or Ollama — no cloud dependency, no account required.