Running FANGS day-to-day centers on a tight loop: add packages you care about, watch for new releases that deviate from their baseline, decide whether each deviation is legitimate behavior or a threat, and teach FANGS to ignore recurring noise. The web UI atDocumentation Index
Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt
Use this file to discover all available pages before exploring further.
http://127.0.0.1:8443/ui/ mirrors the CLI exactly — both surfaces show the same underlying data, so you can use whichever fits your workflow.
The Core Workflow
Register a package with the watcher. FANGS validates the name against the npm registry, adds it to the watch list, and immediately queues a sandbox scan of the current latest version.
That first scan becomes the baseline — no deviations are possible because there is nothing to compare against yet. Every subsequent release is compared to this rolling baseline.
fangs pending shows every run that has at least one deviation and has not yet been promoted to baseline. Rows are sorted by maximum severity (descending), then by most-recently-detected.SEVERITY RUN PACKAGE VERSION FINDINGS DETECTED PROMOTE
crit 18b1f8a3c2e1 axios 1.8.2 3 2m ago fangs baseline promote 18b1f8a3c2e1
warn 9f4d2c8b1a70 chalk 5.4.0 1 14m ago fangs baseline promote 9f4d2c8b1a70
-package P-min-severity Slow|medium|high|critical)-limit NUse the global
-json flag before the subcommand to emit JSON instead of a table: fangs -json pending.The PROMOTE column contains a ready-to-paste command. After reviewing a run, you can copy it directly from the terminal output.
# All deviations
fangs deviation list
# Filter by package and severity
fangs deviation list -package axios -severity crit
# Filter by run
fangs deviation list -run-id 18b1f8a3c2e1
critwarncrit; tuning alias reserved for future per-category weight adjustments)infoWhen you have reviewed the deviations for a run and determined the new behavior is legitimate — a library added a telemetry endpoint, changed CDN providers, started reading a new config path — promote the run:
baseline_fingerprints (applying your current allowlists first, so suppressed values don’t get baked in).is_baseline = true on the run.The next scan for this package will treat the promoted fingerprints as “known” and not flag them again.
The first run for a package auto-seeds the baseline — you never need to promote it manually. Any subsequent run that produces zero deviations is also automatically promoted. Manual promotion is only required when deviations exist.
If the same destination, path, or hostname keeps reappearing across multiple package releases and you’ve confirmed it is safe, add an allowlist rule instead of promoting every run individually:
# Suppress all connections into an internal CIDR (global)
fangs allow add -kind cidr -value 10.0.0.0/8 -note 'internal network'
# Suppress reads of a path prefix (global)
fangs allow add -kind path -value /usr/local/lib/ -note 'shared libs'
# Suppress a specific SNI for a single package
fangs allow add -kind sni -value telemetry.example.com -package axios -note 'axios telemetry'
See the Allowlists guide for full details on scoping and kind semantics.
Run History
View all runs across every package, or filter to one:pending → building → sandboxed → analyzed → done / failed), whether the run is part of the baseline, event counts, and timing.
Reviewing the Baseline
Inspect what the current baseline fingerprints contain for a package to understand what FANGS considers “normal” for it:Package Management
Web UI
Every view described above is also available in the browser athttp://127.0.0.1:8443/ui/. The pending queue, deviation list, run history, and baseline table all appear as the same data the CLI reads from the storage backend. The PROMOTE button in the UI fires the equivalent of fangs baseline promote without leaving the browser.