> ## Documentation Index
> Fetch the complete documentation index at: https://docs.turen.io/llms.txt
> Use this file to discover all available pages before exploring further.

# Package Security

> How Turen evaluates packages before installation

Turen includes **turen-pkg**, a package security scanner that evaluates every package before it's installed on a developer's machine. It works transparently through Claude Code: when Claude attempts to install a package, turen-pkg intercepts the command, evaluates the package against your organization's policies, and blocks or flags anything that doesn't pass.

## Where to Configure

Go to **Agentic Security > Software Security** (`/security/software`). The page has three tabs:

| Tab                              | Status      | Description                                                                                           |
| -------------------------------- | ----------- | ----------------------------------------------------------------------------------------------------- |
| **Open Source Security**         | Active      | Configure scorecard thresholds, vulnerability settings, and license policies                          |
| [**SAST**](/security-rules/sast) | Active      | Real-time static analysis with Batou: configurable blocking thresholds and finding lifecycle tracking |
| **Malware**                      | Coming Soon | Malware scanning for packages and dependencies                                                        |

To enable or disable package scanning entirely, go to **Agentic Security > Security Settings** (`/security/settings`) and toggle **Software Security Settings**.

## How It Works

When Claude Code runs a command like `npm install lodash`:

<Steps>
  <Step title="Command intercepted">
    The Claude Code hook sends the command to turen-pkg for evaluation.
  </Step>

  <Step title="Package analyzed">
    turen-pkg fetches security signals for the package: scorecard rating, known vulnerabilities, license, provenance, and age.
  </Step>

  <Step title="Policy evaluated">
    The package is checked against your organization's thresholds and rules.
  </Step>

  <Step title="Decision made">
    The package is **allowed**, **flagged for review**, or **blocked**. Claude Code receives the result and acts accordingly.
  </Step>
</Steps>

## Supported Package Managers

| Package Manager | Ecosystem            | Status    |
| --------------- | -------------------- | --------- |
| **npm**         | JavaScript / Node.js | Supported |
| **pip / pip3**  | Python (PyPI)        | Supported |
| **go mod**      | Go modules           | Supported |

## Configuring Thresholds

The **Open Source Security** tab in Software Security has three sections:

### Scorecard Thresholds

Set minimum [OpenSSF Scorecard](https://scorecard.dev)\* scores:

* **Minimum Scorecard Score (Block)**: Packages scoring below this are blocked
* **Review Scorecard Score (Alert)**: Packages scoring below this require review

A visual gradient shows the block and review zones on a 0–10 scale.

### Vulnerability Settings

* **Maximum Known Vulnerabilities**: Alert when packages exceed this count
* **Block Critical Vulnerabilities**: Automatically block packages with critical CVEs

### License Configuration

* **Allowed Licenses**: Only packages with these licenses are permitted (leave empty to allow all)
* **Blocked Licenses**: Packages with these licenses are always blocked, regardless of the allowlist

Use the license picker to search and add from a curated list of SPDX identifiers (Permissive, Weak Copyleft, Strong Copyleft, Restrictive) or enter custom SPDX IDs.

Changes appear in an unsaved changes bar: click **Save** to apply or **Discard** to revert.

## Security Signals

Each package is evaluated against multiple security dimensions:

| Signal              | Source                                       | What It Measures                       |
| ------------------- | -------------------------------------------- | -------------------------------------- |
| **Scorecard**       | [OpenSSF Scorecard](https://scorecard.dev)\* | Overall project security rating (0-10) |
| **Vulnerabilities** | OSV database                                 | Known CVEs for the package version     |
| **License**         | deps.dev                                     | Whether the license is acceptable      |
| **Provenance**      | SLSA                                         | Verified build provenance              |
| **Package Age**     | Registry metadata                            | How long the package has existed       |
| **Maintainer 2FA**  | Registry metadata                            | Whether the maintainer has 2FA enabled |

## Decisions

Every package evaluation results in one of three decisions:

| Decision   | What Happens                                                                                  |
| ---------- | --------------------------------------------------------------------------------------------- |
| **Allow**  | Package passes all checks. Installation proceeds normally.                                    |
| **Review** | Package triggers a policy threshold. Claude Code is told the package requires human approval. |
| **Block**  | Package violates a critical policy. Installation is denied.                                   |

## What Developers See

When a package is **allowed**:

```text theme={null}
[turen] Evaluating lodash...

  lodash ALLOW
  ──────────────────────────────────────
  Scorecard       7.5/10
  Vulnerabilities 0
  License         MIT
  Provenance      verified

[npm] Proceeding with installation...
```

When a package is **blocked**:

```text theme={null}
[turen] Evaluating suspicious-pkg...

  suspicious-pkg BLOCK
  ──────────────────────────────────────
  Scorecard       2.1/10
  Vulnerabilities 12 (3 critical)

  x Scorecard below minimum threshold (2.1 < 5.0)
  x 3 critical vulnerabilities detected

  This package was blocked by your organization's
  security policy. Try an alternative package or
  contact your admin.
```

## Claude Code Integration

turen-pkg integrates with Claude Code via hooks configured in `managed-settings.json`. This happens automatically when you install the Turen agent: no developer action needed.

When Claude Code attempts to run a package manager command, the hook:

1. Intercepts the command before execution
2. Evaluates the package through turen-pkg
3. Returns the decision to Claude Code
4. Claude Code either proceeds with installation or informs the developer why the package was blocked

All evaluation events are logged and visible in your dashboard under **Monitor > Events**.

```text theme={null}
* OpenSSF and the OpenSSF logo design are trademarks of The Linux Foundation. See openssf.org for more information.
```
