Skip to main content
Turen includes turen-pkg, a package security scanner that evaluates every package before it’s installed on a developer’s machine. It works transparently through Claude Code — when Claude attempts to install a package, turen-pkg intercepts the command, evaluates the package against your organization’s policies, and blocks or flags anything that doesn’t pass.

Where to Configure

Go to Agentic Security > Software Security (/security/software). The page has three tabs:
TabStatusDescription
Open Source SecurityActiveConfigure scorecard thresholds, vulnerability settings, and license policies
SASTActiveReal-time static analysis with Batou — configurable blocking thresholds and finding lifecycle tracking
MalwareComing SoonMalware scanning for packages and dependencies
To enable or disable package scanning entirely, go to Agentic Security > Security Settings (/security/settings) and toggle Software Security Settings.

How It Works

When Claude Code runs a command like npm install lodash:
1

Command intercepted

The Claude Code hook sends the command to turen-pkg for evaluation.
2

Package analyzed

turen-pkg fetches security signals for the package — scorecard rating, known vulnerabilities, license, provenance, and age.
3

Policy evaluated

The package is checked against your organization’s thresholds and rules.
4

Decision made

The package is allowed, flagged for review, or blocked. Claude Code receives the result and acts accordingly.

Supported Package Managers

Package ManagerEcosystemStatus
npmJavaScript / Node.jsSupported
pip / pip3Python (PyPI)Supported
go modGo modulesSupported

Configuring Thresholds

The Open Source Security tab in Software Security has three sections:

Scorecard Thresholds

Set minimum OpenSSF Scorecard* scores:
  • Minimum Scorecard Score (Block) — Packages scoring below this are blocked
  • Review Scorecard Score (Alert) — Packages scoring below this require review
A visual gradient shows the block and review zones on a 0–10 scale.

Vulnerability Settings

  • Maximum Known Vulnerabilities — Alert when packages exceed this count
  • Block Critical Vulnerabilities — Automatically block packages with critical CVEs

License Configuration

  • Allowed Licenses — Only packages with these licenses are permitted (leave empty to allow all)
  • Blocked Licenses — Packages with these licenses are always blocked, regardless of the allowlist
Use the license picker to search and add from a curated list of SPDX identifiers (Permissive, Weak Copyleft, Strong Copyleft, Restrictive) or enter custom SPDX IDs. Changes appear in an unsaved changes bar — click Save to apply or Discard to revert.

Security Signals

Each package is evaluated against multiple security dimensions:
SignalSourceWhat It Measures
ScorecardOpenSSF Scorecard*Overall project security rating (0-10)
VulnerabilitiesOSV databaseKnown CVEs for the package version
Licensedeps.devWhether the license is acceptable
ProvenanceSLSAVerified build provenance
Package AgeRegistry metadataHow long the package has existed
Maintainer 2FARegistry metadataWhether the maintainer has 2FA enabled

Decisions

Every package evaluation results in one of three decisions:
DecisionWhat Happens
AllowPackage passes all checks. Installation proceeds normally.
ReviewPackage triggers a policy threshold. Claude Code is told the package requires human approval.
BlockPackage violates a critical policy. Installation is denied.

What Developers See

When a package is allowed: 
[turen] Evaluating lodash...

  lodash ALLOW
  ──────────────────────────────────────
  Scorecard       7.5/10
  Vulnerabilities 0
  License         MIT
  Provenance      verified

[npm] Proceeding with installation...
When a package is blocked: 
[turen] Evaluating suspicious-pkg...

  suspicious-pkg BLOCK
  ──────────────────────────────────────
  Scorecard       2.1/10
  Vulnerabilities 12 (3 critical)

  x Scorecard below minimum threshold (2.1 < 5.0)
  x 3 critical vulnerabilities detected

  This package was blocked by your organization's
  security policy. Try an alternative package or
  contact your admin.

Claude Code Integration

turen-pkg integrates with Claude Code via hooks configured in managed-settings.json. This happens automatically when you install the Turen agent — no developer action needed. When Claude Code attempts to run a package manager command, the hook:
  1. Intercepts the command before execution
  2. Evaluates the package through turen-pkg
  3. Returns the decision to Claude Code
  4. Claude Code either proceeds with installation or informs the developer why the package was blocked
All evaluation events are logged and visible in your dashboard under Monitor > Events. 
* OpenSSF and the OpenSSF logo design are trademarks of The Linux Foundation. See openssf.org for more information.