Argus is an open-source command-line tool that performs static analysis on third-party packages before they are installed. It is designed for the AI-agent and Model Context Protocol (MCP) ecosystem, where agents routinely install packages from npm, PyPI, and other registries on demand. Argus reads the actual source code of a package, runs Go AST analysis on Go modules, and applies language-aware pattern and entropy rules on Python, JavaScript, TypeScript, Ruby, Rust, and shell scripts. It exits with a non-zero status code when it finds dangerous calls, hardcoded secrets, network beacons, obfuscation, or path-traversal payloads, so it can be composed in front of any package manager: argus scan ./pkg && pip install ./pkg. Argus is written in Go 1.22+, has zero external dependencies, and ships as a single binary for macOS, Linux, and Windows.

Argus differs from npm audit, Snyk, and Dependabot in three ways. First, those tools match the package's name and version against a vulnerability database — they tell you a known-bad package is present. Argus reads the bytes of the package itself and flags behaviour, so it catches unpublished or zero-day malicious code that no database has yet recorded. Second, those tools run after installation; Argus runs before, so a malicious postinstall script never executes. Third, those tools target the human developer's workflow; Argus targets the agent workflow, where no human is reviewing the dependency tree the LLM proposes. Argus runs alongside vulnerability scanners — it doesn't replace them.

Yes. Model Context Protocol servers are typically distributed as npm or PyPI packages, and Claude, Cursor, and other MCP clients install them on demand. Argus inserts a scan step between the package download and the install command. Wrap your MCP installer: argus scan ./mcp-server && npm install ./mcp-server. If Argus flags a CRITICAL finding, the install short-circuits with exit 1 and the package never executes its postinstall hook, never registers as an MCP tool, and never touches your filesystem outside the temporary scan directory. WARNING findings are logged but do not block — useful in CI where you want a paper trail without halting agent workflows.

Argus supports two analysis tiers. The first tier is Go, where Argus parses the full abstract syntax tree (AST) and resolves import aliases to their canonical package paths, so dangerous calls like os/exec.Command are caught even when imported under a renamed alias. The second tier is pattern-plus-entropy analysis on Python, JavaScript, TypeScript, Ruby, Rust, and shell scripts. These languages run through language-aware regular-expression rules combined with a Shannon-entropy pass on assignment expressions, which catches hardcoded credentials (AWS keys, GitHub PATs, OpenAI tokens) with a low false-positive rate even on base64-encoded test fixtures. Files larger than 1 MiB are skipped during SAST to keep scan times under 200 ms for a typical 5-MB package.

Argus does two passes to keep secret detection precise. The first pass is rule-based: language-specific patterns match the canonical shapes of AWS access keys, GitHub personal access tokens, OpenAI API keys, Stripe keys, Slack tokens, and similar credentials with documented prefixes. The second pass is statistical: a Shannon-entropy calculation runs only on the right-hand side of assignment expressions, where secrets live, rather than on every string literal in the file. The entropy threshold (H ≈ 4.5) is tuned to flag genuinely random tokens while ignoring base64-encoded test data, lockfile hashes, and other high-entropy strings that aren't actually secrets — the kind that trip naive scanners. Argus treats hardcoded secrets as CRITICAL — a leaked production key in an MCP server is one of the worst things that can leak from one.

Argus uses exactly two severity tiers, deliberately. A CRITICAL finding forces exit 1, which blocks the install when Argus is composed with &&. CRITICAL is reserved for behaviour that would unambiguously compromise the host: code execution via exec or eval of dynamic strings, hardcoded production credentials, reverse-shell patterns, disabled TLS verification on outbound calls, and path-traversal in archive extraction. A WARNING finding is logged but non-blocking. WARNING covers behaviour that is sometimes legitimate but worth surfacing: dynamic imports, high-entropy strings without a recognised prefix, subprocess calls with constant arguments, and large embedded binary blobs. Two tiers means CI gates get one decisive signal — and developers don't drown in noise.

Argus catches the obfuscation patterns most published supply-chain attacks use: dynamic imports built from string concatenation, base64- or hex-encoded payloads that decode into executable strings, very long single-line minified scripts that evade human review, and eval / Function() constructors applied to non-constant arguments. It does not claim to defeat all obfuscation — that is provably impossible, since sufficiently obfuscated code is indistinguishable from data until it runs. Argus is one layer in defence-in-depth. In practice: if a package needs to obfuscate its behaviour to function, that's itself a signal worth flagging. In published incidents like the event-stream, ua-parser-js, and colors compromises, Argus rules would have caught the malicious revision.

No. argus scan remains the core manual and CI primitive. Interception via argus shell, argus shim install, or argus hook install claude is an additional layer for package-manager commands run by humans and agents. Use argus scan in CI, for local archives, suspicious repos, and workflows where you do not want PATH shims.

No. It is default-path package-manager interception. Argus intercepts normal install commands by sitting earlier on PATH or via a Claude Code PreToolUse hook. It is not designed to prevent deliberate bypasses by code with arbitrary shell access — absolute binary paths, python -m pip, curl | sh, or direct downloads all bypass local interception. CI remains the backup enforcement layer.

Yes. CI is the backup enforcement layer for dependency changes and local bypasses. Local interception catches the common case — a developer or agent running a normal pip install or npm install — but it is not the security boundary. Running argus scan ./pkg in CI catches packages that landed through any other path, and gives teams a consistent gate independent of developer machine configuration.

No. All scanning runs locally on your machine. Argus is a single statically-linked Go binary with zero external dependencies — no network calls, no telemetry, no license server. The binary reads the package source from disk, runs analysis in memory, and writes output to stderr. Source code never leaves your machine.

Argus is at version 0.1.7 and is production-ready for advisory and CI use, with weekly rule additions and ongoing language coverage. The Go scanner is stable and used in CI by the maintainers. The pattern-plus-entropy tier for other languages is solid for secret detection and call-site flagging, but rule additions land roughly weekly — run the latest release. Argus is licensed AGPL-3.0, which means commercial users redistributing modified versions must publish their changes. For commercial use cases where AGPL is incompatible, open an issue on GitHub for alternative licensing. The canonical install command is go install github.com/argusgate/argus/cmd/argus@latest; release notes and breaking changes are tracked in the project CHANGELOG.