Trust signal
Binary-source alignment
BinShield decompiles your published .node, .so, and .wasm files and compares the recovered behavior against your source code. High confidence alignment proves the binary wasn't tampered with after compilation.
Open source trust
Prove your binaries are clean
Open-source maintainers publish compiled native code that millions of developers install without inspection. BinShield gives you the tools to prove what your binaries actually do — building trust that source review alone cannot provide.
The problem
When you publish a package with native binaries, your users have no way to verify that the compiled code matches your source. Pre-built binaries are opaque — they could contain anything from legitimate optimizations to supply-chain backdoors. Tools like npm audit and Snyk only check known CVEs and source patterns. They never look inside the .node file that actually executes on your users' servers.
For foundation projects and widely-depended-upon packages, this trust gap is a liability. One compromised binary in a popular package like bcrypt, sharp, or sqlite3 could affect millions of downstream applications.
How BinShield builds trust
4 trust signalsTrust signal
Behavioral transparency
Every behavior detected in a binary — network calls, filesystem access, crypto operations, process spawning — is documented with evidence. Consumers can verify that your package does exactly what its README says.
Trust signal
CycloneDX SBOM attestation
Generate a machine-readable SBOM that lists every native artifact, its hash, and its classified behavior. Attach it to your release as a verifiable attestation of binary contents.
Trust signal
Version drift monitoring
Track how binary behavior changes across releases. If a new version introduces unexpected network access or obfuscation patterns, BinShield flags it before your users discover it.
For maintainers
Add BinShield to your CI pipeline to automatically verify every release. The GitHub Action scans your published binaries, generates a behavioral SBOM, and can be configured to fail the build if unexpected behaviors appear in your compiled artifacts.
Attach the SBOM to your GitHub Release as a transparency attestation. Consumers who depend on your package can independently verify what the binary does before upgrading.
For consumers
Before adding a native dependency to your project, check its BinShield analysis. Review the behavior classification, inspect the decompiled evidence, and verify that the binary does only what the package documentation claims.