Lazaretto · blog

Scan your dependencies for malware in GitHub Actions

2026-07-17

A malicious dependency does not announce itself. It shows up as a version bump in a pull request that looks like every other version bump, and it runs on your CI machine and your developers' laptops the moment someone installs it. The cheapest place to catch it is in the pull request, before it merges.

One step in your workflow

The Lazaretto scan action checks the packages you depend on and fails the build on a bad verdict. Add it to any workflow:

- uses: jamesdfinance-dev/lazaretto-scan-action@v1
  with:
    api-key: ${{ secrets.LAZARETTO_API_KEY }}
    fail-on: malicious

Leave targets empty and it scans the direct dependencies in your package.json. Or point it at specific things you are about to vendor:

  with:
    targets: |
      npm_package:some-pkg@1.2.3
      github_repo:some-org/some-skill

Keep it cheap

Gate the job so it only runs when your dependencies actually change, and you pay for a scan only when there is something new to check:

on:
  pull_request:
    paths: ['package.json', 'package-lock.json']

What it does, and does not, tell you

It fetches each package without running it, checks it against known-bad indicators refreshed daily, and looks for the usual behavior: credential reads, data exfiltration, obfuscation, install scripts, prompt injection aimed at an agent. A clear result means no known-bad match and no rule fired. That is a signal, not a warranty. The full evidence for any verdict is in the report from the API.

Getting a key

Claim one with three free scans, no signup: curl -s -X POST https://lazaretto.dev/v1/trial returns a key. Store it as LAZARETTO_API_KEY in your repo secrets. For more, buy a bundle. See the other posts for how the verdicts work.


Lazaretto is the pre-install checkpoint agents call themselves. Try it · pricing.