Skip to main content
Packages installed during automated builds carry the same malware risk as those installed on developer machines. A compromised package introduced in CI can reach production before anyone notices. Safe Chain intercepts all package manager commands in your pipeline and checks every package — including deep dependencies — against Aikido’s threat intelligence feed in real time.

The --ci flag

On developer machines, Safe Chain uses shell aliases to wrap package manager commands. Aliases require an interactive shell session, which CI runners do not provide.
Use the --ci flag when installing Safe Chain in any CI/CD environment. It installs executable shims into PATH instead of shell aliases, so the protection works in non-interactive shells across all pipeline stages.

Installation

Unix/Linux (GitHub Actions, Azure Pipelines, CircleCI, etc.)

curl -fsSL https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.sh | sh -s -- --ci

Windows (PowerShell)

iex "& { $(iwr 'https://github.com/AikidoSec/safe-chain/releases/latest/download/install-safe-chain.ps1' -UseBasicParsing) } -ci"
After the install step runs, all subsequent npm, npx, yarn, pnpm, pip, uv, and other supported package manager commands in the pipeline are automatically protected — no further changes required.

Supported platforms

GitHub Actions

Full workflow example for ubuntu-latest and other runners.

Azure Pipelines, CircleCI, Jenkins, Bitbucket, GitLab

Configuration examples for all other major CI/CD platforms.

Build docs developers (and LLMs) love

Get started for freeTalk to us