Pre-install security interceptor for package managers. Scans every package against the OSV vulnerability database before it hits your system.

$ curl --proto '=https' --tlsv1.2 -fsSL https://github.com/barestripehq/primer/releases/latest/download/primer-installer.sh | sh

Supported ecosystems

Ecosystem Intercepted commands Manifest / Lockfile
Python pip, uv, poetry requirements.txt, pyproject.toml, uv.lock, poetry.lock
Node.js npm, yarn, pnpm package.json, package-lock.json, yarn.lock, pnpm-lock.yaml
Go go get, go mod go.mod, go.sum
Rust cargo add, cargo build, cargo fetch, cargo check Cargo.toml, Cargo.lock

How it works

$ pip install pillow
→ primer shim intercepts
→ queries OSV vulnerability database
→ found 3 vulnerabilities (1 CRITICAL, 2 HIGH)
pillow 9.0.0 — GHSA-56pw-mpj4-fxjw [CRITICAL]
Fixed in: 9.0.1
→ [prompt] View full details? (y/N)
→ [prompt] Continue install anyway? (y/N)
→ exits 1 on "N"

$ pip install requests
✓ requests: found 0 vulnerabilities

Features

Intercept

Shims sit ahead of your package managers in $PATH. Every install is scanned before execution.

Scan

Run primer scan <pkg> --ecosystem <eco> to check any package on demand without installing it.

Cache

Results cached locally for 24 hours. Repeat installs are instant with stale-on-error fallback.

AI Summary

Local SLM generates plain-English CVE summaries. No cloud dependency, no account required.

Polyglot

Covers Python, Node.js, Go, and Rust out of the box — one tool across your entire stack.

Transitive Scanning

Diffs the lockfile after install to scan the full dependency tree — not just the package you named. Opt out per-command with --direct-only.

Watch Mode

primer watch monitors manifests for changes and auto-scans on save. Debounced, cross-platform, and exits cleanly on Ctrl+C.

SBOM

primer sbom emits a CycloneDX or SPDX Software Bill of Materials enriched with OSV vulnerability data.

Remediation

primer scan --file audits existing packages and prints a ready-to-run fix command (npm install pkg@fixed, pip install "pkg>=fixed") for every patched vulnerability.


Integrations

GitHub App

Zero-config automatic scanning

Install the primer GitHub App on any repository. Every push and pull request is scanned automatically — no workflow file, no CLI install, no configuration. primer posts a Check Run and PR comment on every event.

CI / CD

GitHub Actions

One step to install, scan, upload SARIF to the Security tab, and comment on the PR.

- uses: barestripehq/primer-action@v1
  with:
    file: package-lock.json
Git Hook

Block vulnerable commits

An opt-in pre-commit hook that scans staged manifest changes before a commit lands. Run once per repo. Works alongside the shim — the hook catches issues at commit time; the shim catches them at install time.

# install the hook in the current repo
primer hook install

# run the check manually without committing
primer hook check
AI Agents · MCP

Claude Code, Cursor, Cline

Add primer as an MCP tool so your AI coding agent queries vulnerability data before suggesting a package install. Add to your project's .mcp.json:

{
  "mcpServers": {
    "primer": {
      "command": "primer",
      "args": ["mcp"]
    }
  }
}
Shim Intercept

Developer machines

Run primer init once per machine. After that, npm install, pip install, cargo add, and go get are intercepted and scanned transparently — no changes to existing scripts or workflows.

# one-time setup
primer init

# then use package managers as normal — primer intercepts automatically
pip install requests
npm install express
Directory Watcher

Live manifest monitoring

Run in the background during a dev session. Re-scans manifest files automatically on save — 500 ms debounce, cross-platform, exits cleanly on Ctrl+C.

# watch current directory, scan immediately on startup
primer watch --directory . --scan
SBOM

Software Bill of Materials

Generate a machine-readable inventory of all packages in a manifest or lockfile, enriched with OSV vulnerability data. Outputs CycloneDX v1.5 (default) or SPDX 2.3.

# CycloneDX (default)
primer sbom --file pyproject.toml --output sbom.json

# SPDX
primer sbom --file package-lock.json --format spdx --output sbom.json

Browse the docs

Quickstart

Protect a repository via GitHub Actions in five minutes — no local install required.

Installation

Install the shim layer on your machine so every package install is scanned automatically.

Configuration

All ~/.primer/config.toml keys, the policy file schema, and the .primer/ directory layout.

CLI Reference

Every command, flag, exit code, and environment variable.

Integrations

GitHub Actions, Git hooks, SBOM generation, directory watcher, and MCP server.

AI Layer

Local SLM summaries with SmolLM2 or Ollama — no cloud dependency, no account required.