GitHub Repository

Behavioral security monitoring for JVM dependencies. Catches malicious package updates before CVEs exist

1 starsJava

Marshal – behavioral supply-chain scanner for JVM dependencies

Name: Marshal – behavioral supply-chain scanner for JVM dependencies
Availability: InStock
Author: marshalhq

by marshalhq·Jun 16, 2026·2 points·0 comments

Visit Project View on HN

AI Analysis

●●SolidBig BrainSolve My Problem

Catches malicious dependency updates before CVEs exist, unlike Snyk or Dependabot.

Strengths

•Behavioral scoring catches threats before CVEs are published, not just known vulnerabilities.
•GitHub Action integration posts findings directly to PRs with clear fail thresholds.
•Detects specific signals like dropped GPG signatures and maintainer swaps automatically.

Weaknesses

•JVM-only scope limits adoption compared to language-agnostic supply chain tools.
•New project with zero stars means unproven detection accuracy in real attacks.

Similar Projects

Security●Mid

Lateos/NPM-scan – open-source NPM supply chain scanner, v0.18.3

NPM supply chain scanner competing against Socket, Snyk, and npm audit.

Ship It

lateos-ai

1014d ago

Security●●●Banger

Aguara – Security scanner for AI agent skills and MCP servers

Semgrep for AI agents—138 rules, offline, catches obfuscated attacks other scanners miss.

Solve My ProblemBig Brain

garagon

123mo ago

Security●●Solid

Agentsec – Security scanner for AI agent installations (MCP, OpenClaw)

Bundles CI-friendly scanners that target agent-specific risks: 17 patterned secret detectors, prompt-injection and instruction‑malware heuristics, tool/SSRF and MCP auth checks, plus SARIF/JSON outputs for integration. Findings map to the OWASP Top 10 for Agentic Applications (2026) and it adds 'harden' profiles to apply safer defaults to OpenClaw/MCP installs — practical, focused ops tooling rather than a generic secret-finder.

Niche GemSolve My Problem

debu_sinha_1

233mo ago

Developer Tools●●Solid