ByteOwl← BackInstall

Free to run · zero-config security for AI-assisted coding

Supply-chain security for vibe-coded software.

GuardDog sits in the loop with your AI coding assistant — vetting every package before it's installed and scanning every file it writes — so a shady dependency or a leaked API key never quietly makes it into your project.

2automatic checks — before every install, after every edit
$0to run the basic scanner — no API key, no subscription
0extra hassle — findings land right in your assistant
SCROLL DOWN FOR MORE • SCROLL DOWN FOR MORE •

What GuardDog does

Two problems, one tool.

Vibe coding — building fast by describing what you want to an AI assistant — moves quickly enough that two things slip through unnoticed: a third-party package with a bad license, a known vulnerability, or an abandoned maintainer; and a hardcoded secret or unsafe pattern the assistant writes and never mentions.

GuardDog closes both gaps automatically, running through the assistant you already use — no separate dashboard, no new habit to build.

  • Vets every package install: license, known vulnerabilities, maintenance health
  • Scans every file an assistant writes or edits: secrets, injection, unsafe deserialization, and more
  • Runs the same static pipeline as a CI gate via guarddog scan — free, no API key required

Get started

One command, everything you need.

guarddog-setup.sh installs the guarddog binary plus everything it needs to scan your code, bundled together as one download with one checksum. No compiler, no separate installs, safe to run unattended.

Install
curl -fsSL https://byteowl-guarddog-releases.s3.us-east-1.amazonaws.com/guarddog-setup.sh | sh
  • macOS and Linux — GuardDog's core scanning engine has no native Windows build; on Windows, install inside WSL and run the same command there.
  • Installs to ~/.local/bin by default; override with --install-dir <path> or GUARDDOG_INSTALL_DIR.
  • This is exactly what you can tell your AI assistant to run on your behalf — no prompts, nothing interactive.

Every release, verifiable

All versions, always up to date.

This list is read straight from the same place guarddog-setup.sh downloads from — the moment a new version ships, it shows up here automatically, with a direct download and checksum for each platform.

Checking for releases…

Two commands to full protection

Wire it in, then forget about it.

guarddog init is read-only — it inspects your project and prints the exact hook snippet to add for whichever AI assistant you use (Claude Code, Cursor, or GitHub Copilot), rather than editing config files for you.

Set up this project
guarddog init
  • Once the printed snippet is applied, two things start happening automatically: a pre-install vetting gate, and a post-edit scan of anything your assistant just wrote.
  • Not sure it's actually protecting you? guarddog doctor prints a plain checklist of exactly what's set up.

What you get

Protection that just runs.

Two automatic checks cover the two places risk actually gets introduced — installing a new package, and writing new code — so there's nothing extra to remember and no separate tool to open.

  • Every package checked before install: license, known vulnerabilities, and maintenance health
  • Every file checked the moment it's written or edited: secrets, injection, unsafe patterns, and more
  • Findings and fix suggestions appear right in your assistant's own chat — nothing extra to read
  • AI-quality code review included at no extra cost, through the assistant you're already using

Full control from the terminal

The same pipeline, on demand.

guarddog scan runs the complete static pipeline against a repo and reports each engine's findings independently — static analysis, secrets, and dependencies — with real scan-volume numbers (files scanned, rules evaluated, dependencies checked), not just a pass/fail count. Drop it into CI or a pre-commit hook: it exits nonzero on critical findings.

Scan a repo
guarddog scan
guarddog scan [path]Full static (+ optional AI) scan — -json for machine-readable output
guarddog initReport missing hook config for this project, read-only
guarddog doctorPlain-English check: is GuardDog actually set up here?
guarddog acceptRecord, list, or remove an accepted risk for this project
guarddog configureSet up GuardDog Advanced (optional paid AI tier)
guarddog helpFull command/flag reference — help json for machine-readable output

Not every finding needs a fix

Ignore the fakes, accept the real ones.

Two project-local files handle the two different reasons a finding might not need action — both plain text, both meant to be committed and reviewed like any other config, never global to your machine.

  • .guarddogignore — for findings that aren't real: a test fixture with a deliberately fake secret, sample vulnerable code kept for a demo
  • .guarddogaccept / guarddog accept — for a finding that is real but the project has knowingly decided to live with, like a dependency vulnerability with no patch yet
Accept a known risk
guarddog accept add -reason "no patched version yet, tracked upstream" guarddog.vuln.dependency go.mod
  • An accepted finding still shows up in guarddog scan's report for visibility — it just doesn't count toward severity totals or the CI exit-code gate.

Optional — never required

GuardDog Advanced, for unattended runs.

Pattern-based checks catch known-bad shapes; they can't reason about intent. GuardDog Advanced sends flagged (and nearby) source to an AI model for a context-aware pass — useful for CI or cron runs with no assistant in the loop to review things itself for free.

Everything above — package vetting, the post-edit scan, guarddog scan's full pipeline — runs at no cost without it. This is the one part of GuardDog that isn't free.

Turn it on
guarddog configure

Requirements

macOS and Linux, natively.

GuardDog runs natively on macOS and Linux. On Windows, install and run it inside WSL — the same install command works unmodified there.

  • Claude Code, Cursor, and GitHub Copilot all supported
  • Checksum-verified install — nothing runs until it's confirmed authentic
  • A Claude Code skill is available, so an assistant can set itself up without a manual walkthrough
Install the Claude Code skill
mkdir -p .claude/skills/guarddog && curl -fsSL "https://byteowl-guarddog-releases.s3.us-east-1.amazonaws.com/$(curl -fsSL https://byteowl-guarddog-releases.s3.us-east-1.amazonaws.com/latest.txt)/SKILL.md" -o .claude/skills/guarddog/SKILL.md