This guide walks you through getting FANGS operational end-to-end on a single Linux host: starting the orchestrator, starting the runner, adding your first npm package to the watch list, and triaging what comes back. By the end you will have a live deviation report in your terminal and the web dashboard. All commands are taken directly from the source — nothing is invented.Documentation Index
Fetch the complete documentation index at: https://mintlify.com/irchaosclub/FANGS/llms.txt
Use this file to discover all available pages before exploring further.
Complete the Installation step first. You need
bin/fangs-orchestrator, bin/fangs-runner, and bin/fangs built and ready in your working directory.Overview
FANGS requires three concurrent processes: the orchestrator (control-plane), the runner (execution-plane), and optionally the CLI for operator interactions. Open three terminal windows in the repository root before you begin.Step 1 — Start the Orchestrator
The orchestrator owns all persistent state, exposes the HTTP API, runs the npm watcher, and serves the web dashboard. Start it in Terminal A:127.0.0.1:8443, stores data in var/lib/fangs/fangs.db (created automatically), enables the npm watcher on a 5-minute poll interval, and serves the dashboard at /ui/. The startup log is JSON-structured and written to stderr:
Orchestrator Flag Reference
The most commonly adjusted flags at startup:| Flag | Default | Description |
|---|---|---|
-addr | 127.0.0.1:8443 | HTTP listen address |
-storage | sqlite | Storage backend: sqlite | postgres | none |
-sqlite-path | var/lib/fangs/fangs.db | SQLite database file path |
-postgres-dsn | (empty) | PostgreSQL DSN; also reads $FANGS_PG_DSN |
-watch | true | Enable the npm registry watcher |
-watch-interval | 5m | How often the watcher polls npm |
-ui | true | Serve the web dashboard at /ui/ |
-metrics | true | Expose Prometheus metrics at /metrics |
-config | config/orchestrator.yaml | YAML config for watched paths and allowlist |
-retention-days | 90 | Prune raw events older than N days (0 = never) |
-retention-interval | 24h | How often the retention pruner runs |
-notifiers-file | (empty) | Path to a JSON file of webhook targets upserted at startup |
-id | fangs-orchestrator | Identifier reported to runners on registration |
Step 2 — Start the Runner
The runner loads the eBPF sensor probes at startup and registers with the orchestrator. It needsCAP_BPF and Docker socket access, so run it with sudo in Terminal B:
http://127.0.0.1:8443 by default, adopts the system hostname as its runner ID, attaches all eBPF probes once (before any container starts), and enters a job-poll loop:
Runner Flag Reference
| Flag | Default | Description |
|---|---|---|
-orchestrator | http://127.0.0.1:8443 | Orchestrator base URL |
-runner-id | (hostname) | Stable identifier for this runner |
-tls-ca | (empty) | PEM CA bundle for verifying the orchestrator’s TLS cert |
-tls-cert | (empty) | Client cert for mTLS |
-tls-key | (empty) | Private key paired with -tls-cert |
-timeout | 30s | Per-request timeout for orchestrator control-plane calls |
Step 3 — Add a Package and Trigger a Scan
With both processes running, use the CLI in Terminal C to add an npm package to the watch list. This simultaneously registers it for ongoing watcher polling and queues an immediate scan of the current latest version:axios on npm, and dispatches a sandbox_scan job to the registered runner. In Terminal B you will see the runner pick up the job:
axios’s baseline — there is nothing to compare against yet, so zero deviations are written.
Subsequent releases of
axios detected by the watcher will be scanned automatically. Runs that produce deviations appear in fangs pending; runs that match the baseline extend it silently.Step 4 — Submit a One-Off Scan
You can queue a scan of any specific version without waiting for the watcher:Step 5 — Check the Run List
See all scans that have been executed:Step 6 — View Deviations
Check what behavioral differences were found:cred: true in watched_paths config (e.g. /root/.ssh/) render with critical severity and appear in red in the dashboard.
Step 7 — Inspect the Triage Queue
Any run that produced at least one deviation lands in the triage queue, waiting for an operator decision:Step 8 — Promote or Reject
When deviations are examined and judged to represent legitimate behavior changes (a new CDN endpoint, an updated dependency path), promote the run’s full fingerprint set into the baseline:pending, its fingerprints are merged into the baseline, and future scans of this package will treat those behaviors as expected.
Step 9 — Open the Dashboard
Everything visible in the CLI is also available as a live web view. Open:cred: true paths highlighted in red), the pending triage queue, and the current watcher status.
Prometheus metrics are available at:
Common CLI Commands at a Glance
Next Steps
Add Notifiers
Wire up Slack, Discord, or a generic SIEM webhook so deviations push to your team instead of waiting on a dashboard refresh. Use
fangs notifier add.Configure Watched Paths
Customize
config/orchestrator.yaml to track the file prefixes that matter most and mark credential paths with cred: true for high-severity treatment.Enable mTLS
In production, pass
-tls-cert, -tls-key, and -tls-client-ca to the orchestrator to prevent unauthorized runners from registering.Switch to PostgreSQL
Use
-storage postgres and -postgres-dsn (or $FANGS_PG_DSN) to move to a PostgreSQL backend for multi-runner or high-availability deployments.