Skip to main content

Documentation Index

Fetch the complete documentation index at: https://mintlify.com/CarlosEduJs/SCAL-P/llms.txt

Use this file to discover all available pages before exploring further.

SCAL-P is a Go CLI tool that acts as a security layer between your JavaScript project and the npm ecosystem. It wraps your package manager to enforce dependency policies before install, hash every installed package for integrity verification, and produce a structured audit trail of every operation. With zero external Go dependencies and an offline-first design, SCAL-P fits into any development workflow or CI pipeline.

Installation

Download the binary or build from source. Get SCAL-P running in under a minute.

Quickstart

Run your first guarded install and see policy enforcement in action.

Command reference

Every command, flag, and default value documented with real examples.

Policy configuration

Configure allowlists, denylists, trust scores, and enforcement modes.

What SCAL-P does

npm and pnpm run arbitrary code during install via lifecycle scripts. SCAL-P flips the order: policy before trust, hash after install, audit always.
1

Resolve dependencies

SCAL-P resolves your lockfile without installing, so it can evaluate every package before any code runs.
2

Evaluate policy and trust scores

Every dependency is checked against your .scalp/policy.json — allow/deny rules, minimum trust score, and hash requirements.
3

Install with hash verification

If all packages pass, SCAL-P installs and then computes SHA-512 hashes of every package directory, saving them to .scalp/lockfile.json.
4

Audit and report

Hash verification confirms node_modules matches the lockfile. A structured JSON report is written for CI consumption.

Key capabilities

Trust scoring

Packages are scored 0–80 based on hash verification, version maturity, download popularity, and CVE status. Set a minimum score in policy.

CI mode

scalp ci resolves, evaluates, installs, audits, and writes a JSON report in one command — always exits 1 on violations.

Binary verification

scalp verify checks SCAL-P’s own release binaries using the same SHA-512 engine — complete supply chain integrity.

Audit log

Every install, audit, and verify produces NDJSON events appended to .scalp/audit.log for complete traceability.

One command for CI

The fastest way to add supply chain security to a CI pipeline: 
scalp ci --pr-context fork --output ci-report.json
  • Blocks on any policy violation — exit code 1
  • Forces require_hash in fork PRs to prevent lockfile tampering
  • Passes --ignore-scripts to your package manager — no postinstall code
  • Writes a machine-readable JSON report
No policy file? SCAL-P defaults to audit-only mode — it hashes and logs everything without blocking. Add .scalp/policy.json when you’re ready to enforce.

Build docs developers (and LLMs) love

Get started for freeTalk to us