Skip to main content
Add one step to your existing workflow to protect every subsequent package manager command. No secrets or tokens are required.

Integration

1

Add the Safe Chain install step

Insert the install step after your Node.js (or other runtime) setup action and before any dependency installation steps.
- name: Install safe-chain
  run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci
The --ci flag installs executable shims into PATH rather than shell aliases, which is required for non-interactive CI shells.
2

Continue with your normal build steps

All subsequent package manager commands (npm, npx, yarn, pnpm, pip, etc.) are automatically routed through Safe Chain’s malware proxy. No changes to those steps are needed.
- name: Install dependencies
  run: npm ci

Complete workflow example

- name: Setup Node.js
  uses: actions/setup-node@v4
  with:
    node-version: "22"
    cache: "npm"

- name: Install safe-chain
  run: curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci

- name: Install dependencies
  run: npm ci
This example works with ubuntu-latest and other Linux-based runners. Windows runners should use the PowerShell install command.
To ensure reproducible builds, pin Safe Chain to a specific version by replacing latest with a version number in the URL (available from v1.3.2):
curl -fsSL https://github.com/AikidoSec/safe-chain/releases/download/x.x.x/install-safe-chain.sh | sh -s -- --ci
All available versions are listed on the releases page.

Build docs developers (and LLMs) love

Get started for freeTalk to us