How It Works
From install to verified in seconds
Every package your team installs goes through an 8-step verification pipeline — automatically, transparently, and without slowing anyone down.
Developer runs install
A developer in your organization runs npm install, pip install, or go get. The request goes through SourceSeal's registry proxy instead of hitting the public registry directly.
You configure this once — one line in .npmrc, pip.conf, or GONOSUMDB. After that, every install is automatically verified. No workflow changes for your team.
Package is downloaded
SourceSeal downloads the published package from the public registry (npm, PyPI, Go modules) and stores it for comparison.
We also pull the source code from the linked repository (GitHub, GitLab, etc.) at the exact version tag. Both artifacts — published and source — are now ready for verification.
Rebuild from source
The package is rebuilt from source code inside an isolated container. Network access is completely disabled during the build step — nothing can be injected or exfiltrated.
This is the core of reproducible build verification. If the author published what they claim, our rebuild should produce an identical result. If it doesn't — something was changed.
Byte-by-byte comparison
The published package is compared against our rebuild, file by file. Any difference — even a single byte — is flagged.
This catches build-time injection attacks like SolarWinds, where malicious code was inserted during the build process but never appeared in the source repository.
AI security analysis
Every file is analyzed by our AI engine for malicious patterns — backdoors, credential theft, obfuscation, reverse shells, cryptominers, and data exfiltration.
The AI was trained on real-world supply chain attacks: SolarWinds, event-stream, ua-parser-js, xz-utils, Glassworm, and more. It catches what signature-based scanners miss.
Sign & store
If the package passes all checks, it's cryptographically signed with Ed25519 and uploaded to decentralized storage (IPFS).
The signature proves that SourceSeal verified this exact version at this exact time. The decentralized storage ensures the proof can't be silently deleted.
Record on blockchain
The verification attestation is recorded on an immutable Hyperledger Fabric ledger. This creates a permanent, tamper-proof record.
Even if SourceSeal's servers were compromised, the blockchain record remains intact. Anyone can independently verify that a package was checked and when.
Deliver to developer
Only packages that passed verification are served to the developer. Flagged or unverified packages are blocked automatically.
The developer gets their package as usual — fast and seamless. The entire verification pipeline runs in the background. If something is blocked, the developer and the security team are notified.
See it in action
Request a demo and we'll walk you through the full pipeline with your own packages.