Skip to main content
Turen includes turen-pkg, a package security scanner that evaluates every package before it’s installed on a developer’s machine. It works transparently through Claude Code — when Claude attempts to install a package, turen-pkg intercepts the command, evaluates the package against your organization’s policies, and blocks or flags anything that doesn’t pass.

How It Works

When Claude Code runs a command like npm install lodash:
1

Command intercepted

The Claude Code hook sends the command to turen-pkg for evaluation.
2

Package analyzed

turen-pkg fetches security signals for the package — scorecard rating, known vulnerabilities, license, provenance, and age.
3

Policy evaluated

The package is checked against your organization’s thresholds and rules.
4

Decision made

The package is allowed, flagged for review, or blocked. Claude Code receives the result and acts accordingly.

Supported Package Managers

Package ManagerEcosystemStatus
npmJavaScript / Node.jsSupported
pip / pip3Python (PyPI)Supported
uvPython (fast installer)Supported
poetryPythonSupported
go modGo modulesSupported
cargoRustScanning only

Security Signals

Each package is evaluated against multiple security dimensions:
SignalSourceWhat It Measures
ScorecardOpenSSF ScorecardOverall project security rating (0-10)
VulnerabilitiesOSV databaseKnown CVEs for the package version
Licensedeps.devWhether the license is acceptable
ProvenanceSLSAVerified build provenance
Package AgeRegistry metadataHow long the package has existed
Maintainer 2FARegistry metadataWhether the maintainer has 2FA enabled

Decisions

Every package evaluation results in one of three decisions:
DecisionWhat Happens
AllowPackage passes all checks. Installation proceeds normally.
ReviewPackage triggers a policy threshold. Claude Code is told the package requires human approval.
BlockPackage violates a critical policy. Installation is denied.

What Developers See

When a package is allowed: 
[turen] Evaluating lodash...

  lodash ALLOW
  ──────────────────────────────────────
  Scorecard       7.5/10
  Vulnerabilities 0
  License         MIT
  Provenance      verified

[npm] Proceeding with installation...
When a package is blocked: 
[turen] Evaluating suspicious-pkg...

  suspicious-pkg BLOCK
  ──────────────────────────────────────
  Scorecard       2.1/10
  Vulnerabilities 12 (3 critical)

  x Scorecard below minimum threshold (2.1 < 5.0)
  x 3 critical vulnerabilities detected

  This package was blocked by your organization's
  security policy. Try an alternative package or
  contact your admin.

Typosquat Detection

turen-pkg detects packages with names suspiciously similar to popular packages — a common supply chain attack vector. For example, lod-ash or loadash would be flagged as potential typosquats of lodash. Typosquat detection uses embedded datasets of popular packages per ecosystem and configurable similarity thresholds.

Audit Command

Developers can scan their entire project for supply chain risk: 
turen-pkg audit --path .
This evaluates every dependency in the project’s manifest files and produces a summary: 
Audit Results for /project
──────────────────────────────────────
Manifest: package.json (npm)
Total:  42 packages
Allow:  38    Review: 3    Block: 1
Score:  88/100

Claude Code Integration

turen-pkg integrates with Claude Code via hooks configured in managed-settings.json. This happens automatically when you install the Turen agent — no developer action needed. When Claude Code attempts to run a package manager command, the hook:
  1. Intercepts the command before execution
  2. Evaluates the package through turen-pkg
  3. Returns the decision to Claude Code
  4. Claude Code either proceeds with installation or informs the developer why the package was blocked
All evaluation events are logged and visible in your dashboard.