Threat intelligence for
autonomous coding agents
Beekeeper mediates every package install, credential file read, and network request your agent makes against threat intelligence and structural policy.
go install github.com/home-beekeeper/beekeeper/cmd/beekeeper@latestCalm by default
Quiet until it isn't.
The TUI stays silent for weeks at a time. When a catalog sync hit reaches the corroboration threshold or Sentry correlates a credential read with an outbound connection, the dashboard surfaces the incident and your response options.
What it does
Stop supply chain attacks before they reach your agents.
Beekeeper sits between your coding agent and your machine. Every install, file read, and network call passes through a policy engine that knows what attackers do.
First-class integration for Claude Code, Cursor, Codex CLI, OpenCode, Continue, and any MCP-speaking client. Tool calls cannot bypass the harness. Native-tool agents route through the gateway; package managers are caught by the shim layer.
One source warns. Two enforce. Three quarantine. The 2FA principle for threat intel.
Sentry catches the credential-read signature live. Fires on behavior, not catalog identity.
Quiet by design. Escalates on its own when something fires.
Steers npm install to pnpm or Bun with structural defenses npm lacks.
Apache 2.0. Reproducible builds, Sigstore-signed releases, SLSA L3 provenance. No telemetry, no upsell, no SaaS lock-in. Every release verifiable from source.
Recent supply chain compromises
Real 2026 supply-chain campaigns.
Not hypothetical. Each row is a named package, the date it broke, and the damage it did.
How it works
Two layers, working together.
Reactive defense catches what's been catalogued. Proactive defense catches what hasn't. Each compensates for the other's blind spots.
Match every install against intelligence
Catalogs sync in the background from Bumblebee, OSV, and Socket, every 2 hours by default. Every install your agent runs is matched against the current index on the spot.
When a sync brings new intel, Beekeeper re-checks the packages already installed. A hit corroborated by two sources can move to a reversible quarantine: opt-in, dry-run by default, with the permanent purge always human-gated.
The 2FA principle keeps false positives bounded: one source can only warn, a real block needs two catalogs to agree.
Watch behavior, not just identity
Sentry runs as a privileged daemon. It correlates process events, file access on sensitive paths, and outbound connections into the exfiltration signature.
Fires when an extension host descendant reads credentials and opens a connection: the Nx Console pattern, expressed in behavior.
The layers talk: when Layer 1 corroborates a flagged package, Sentry tightens its watch on that package's processes, escalating faster on a credential read. Detection-only, never a kill.
Built different
A security tool that takes its own integrity seriously.
Checkmarx. Trivy. SAP. TanStack. Bitwarden. Every name on TeamPCP's kill list in 2026 was a security vendor that became an attack vector. Beekeeper plans for its own compromise from day one.
make verify-release ships with every tag.beekeeper-self catalog auto-quarantines known-bad releases on next startup.Quickstart
Protected in 60 seconds.
Three commands. No configuration required. Beekeeper ships with sane defaults.
Drop the binary into your path. Requires Go 1.25+ or use brew/scoop.
Auto-installs the hook into Claude Code. Cursor, Codex, others supported.
Launches the calm-mode TUI. Stays quiet until something fires.
Harness support
17 agent harnesses. Three tiers of coverage.
Beekeeper supports 17 coding-agent harnesses. Support depth depends on what upstream hook mechanisms each harness provides, we document exactly what is and is not covered.
The harness has a pre-exec hook mechanism. Beekeeper installs a hook that runs `beekeeper check` before each tool call. On block: exits 2, emits harness-specific deny JSON, writes human-readable reason to stderr. Claude Code is the only locally live-verified harness; the remaining nine Tier-1 harnesses are documented contract.
Live-verified on this machine (HPC-04). Hooks reload mid-session; settings.json merge required.
Documented contract. Requires [features] hooks=true in config.toml; non-Bash/MCP coverage gated on PR #18385.
Documented contract. failClosed:true required (Cursor is fail-OPEN by default); three separate hook events.
Documented contract. Matchers support mcp:*; layered settings.json.
Documented contract. Claude Code clone schema.
Documented contract. Gemini-CLI fork that adopted Claude's schema.
Documented contract. Gemini-native decision field; matcher = regex on tool name.
Documented contract. Flat JSON schema (NOT nested); ~/.copilot/settings.json or .github/hooks/*.json.
Documented contract. Field name MED-confidence (docs conflict); Beekeeper emits both forms defensively.
Documented contract. Fail-OPEN on non-2 exit; Windows uses powershell key; no JSON deny form.
These harnesses have a hook mechanism, but a structural caveat limits coverage or reliability. Hermes is structurally fail-OPEN (exit codes ignored, block rests on stdout JSON only). Cline is macOS/Linux only. OpenCode uses a JS plugin that misses subagent task calls.
fail-OPEN harness, exit codes IGNORED. Block rests entirely on stdout JSON. Any timeout, crash, or non-JSON output causes Hermes to allow the tool call. MCP gateway is more robust.
macOS/Linux ONLY, no Windows support. Hook = executable file PreToolUse (no ext) in .clinerules/hooks/.
JS plugin (tool.execute.before). Does NOT catch subagent task calls (#5894) or historically MCP calls (#2319).
These four harnesses are integrated through the MCP gateway, not a pre-exec hook file. Beekeeper only intercepts tool calls routed through the gateway; any native built-in tool (Bash, file read/write, shell execution) the agent invokes directly bypasses Beekeeper. Kilo and Trae have no upstream pre-exec hook (e.g. Kilo FR #5827); Continue and OpenClaw are wired via their MCP client config. A real residual coverage gap, not a Beekeeper implementation bug.
Native Bash/file/shell tools UNGUARDED, no pre-exec hook (upstream FR #5827). Only MCP tools intercepted via gateway.
Native shell/file tools UNGUARDED, no programmatic pre-exec hook. Native commands gated only by Trae's UI. Only MCP tools intercepted via gateway.
Wired via MCP client config (~/.continue/config.yaml), not a pre-exec hook file. Only MCP tools routed through the gateway are intercepted; native/non-MCP tools are UNGUARDED.
Wired via MCP client config (~/.openclaw/config.json), not a pre-exec hook file. Only MCP tools routed through the gateway are intercepted; native/non-MCP tools are UNGUARDED.
FAQ
Common questions.
Is Beekeeper a replacement for Snyk, Socket, or Dependabot?
Does Beekeeper send my code or data anywhere?
What's the performance cost?
Does it work on Windows?
Does Beekeeper automatically delete flagged packages?
os.Rename plus a restore manifest; you can put it back with a single command. Auto-quarantine also starts in dry-run mode, so even after you enable it, no move happens until you explicitly set dry_run to false. The permanent purge is always human-gated: the TUI surfaces the incident with a [P] purge option and a [R] restore option, and the CLI purge command requires a y/N confirmation.Can I trust the binary I just downloaded?
make verify-release target reproduces the binary and compares hashes. Distrust is the appropriate posture. Don't trust us; verify us.Arm your local agents with threat intelligence.
Beekeeper is open source, dogfooded daily, and ready for your machine.