Open source · eBPF · Apache-2.0
Know which dependency did it.
The kernel can tell you a process read a secret or connected to a new host. Goodman tells you which npm package — and which version — did it, and alerts the moment a dependency does something it has never done before.
Runs on your cluster · Helm install in minutes · detection-first, no agents in your code
$ goodmanctl alerts tail
CRITICAL dependency behavior drift
service · checkout-api
package · [email protected]
+ NEW CONNECT 169.254.169.254:80
+ NEW POST git-tanstack.com/collect
baseline 1.169.4 · learned over 41 days · 0 prior anomalies
→ attributed to package in 2m 41s. your scanner is still green.
84
malicious versions published from one compromised release pipeline
6 min
the malicious code ran inside a legitimate pipeline before anyone noticed
0
static scanners flagged it — the only signals were behavioral, at the kernel
The 2026 npm supply-chain attacks (TanStack, Axios, Shai-Hulud) all shared one trait: install-time checks were green while runtime behavior changed.
54-second demo
From syscall to package name
Watch Goodman learn a baseline, catch a poisoned version reading credentials, and name the exact package — live in the dashboard.
What it catches
Built for dependency behavior drift
Scanners judge what a package might do. Goodman watches what it actually does in your production workloads.
How it works
Kernel truth, package-level answers
One privileged sensor per node, one collector, one dashboard. Attribution is conservative by design — Goodman reports <unknown> rather than guess a package name.
Where it sits
Complementary to your scanner — not a replacement
Supply-chain defense is layered. Goodman is the runtime layer that keeps working after everything upstream said the package was fine.
Open source
Apache-2.0. Runs on your cluster.
The sensor, collector, dashboard, and Helm chart are all open. Your syscall data never leaves your infrastructure. SQLite for a laptop, Postgres for production, Prometheus metrics and an SSE stream built in.
Try it locally — no root needed
git clone https://github.com/hi-heisenbug/goodman cd goodman && make demo
Install on Kubernetes
scripts/install-k8s.sh --cluster prod scripts/enable-node-attribution.sh -n checkout --all
FAQ
Common questions
- What is Goodman?
- Goodman is an open-source runtime dependency-security sensor. It uses eBPF to capture security-relevant Linux syscalls, attributes each one to the exact npm package and version that caused it, learns a behavioral baseline per service, package, and version, and alerts when a dependency starts doing something it has never done before.
- How is this different from a dependency scanner (SCA)?
- Scanners judge what a package might do before you install it — static analysis, registry metadata, known CVEs. Goodman watches what dependencies actually do in production. The 2026 TanStack and Axios attacks passed every scanner; the malicious behavior only appeared at runtime. The two layers are complementary, and we recommend running both.
- How is this different from Falco or other eBPF runtime security tools?
- Generic runtime tools tell you a process opened a file or connected to an IP. Goodman resolves the user-space stack through V8 perf maps and tells you which npm package inside that process did it — for example [email protected], not just node. Package-level attribution is the core difference.
- Does it slow down my production workloads?
- The sensor uses CO-RE eBPF tracepoints on file open, network connect, and process exec for watched processes only. Node attribution uses V8 perf maps enabled with one NODE_OPTIONS environment variable. Overhead is designed to be low enough for production; you can scope watching to specific namespaces or deployments.
- Does my data leave my infrastructure?
- No. Goodman is fully self-hosted: the sensor, collector, dashboard, and storage (SQLite or Postgres) all run on your cluster. Syscall data never leaves your infrastructure.
- Can attribution be wrong?
- Goodman is deliberately conservative: when it cannot resolve a syscall to a package with confidence, it reports <unknown> rather than guess. Incorrect attribution is worse than no attribution.
- Does it block attacks or only detect them?
- Detection-first in v1. Goodman observes, attributes, fingerprints, and alerts — it does not block or sandbox. Blocking on kernel-level signals without high-confidence attribution causes outages; we are building trust in the signal first.
- What does it cost?
- The software is free and open source under Apache-2.0. Heisenbug offers paid design-partner pilots that include deployment on your cluster, rule tuning, and a weekly dependency-behavior report. Email [email protected].
Design partners
We are taking three design partners
We deploy Goodman on your cluster, tune the rules, and walk you through a dependency-behavior report every week. You get the runtime layer done for you — we get your criticism.
Not ready to talk? Get the supply-chain research and release notes.