Documentation

Getting Started

Installation

Get Agentinel running in under two minutes. No account, API key, or server required.

Fully offline setup

Agentinel bundles the OSV database locally. There is no registration, no API key, and no outbound network call at scan time. The package itself is the only thing you need to install.


Prerequisites

  • Node.js 20 or higher installed on your machine
  • An npm-based project (package.json must exist)
  • At least one AI coding agent (Claude Code, Copilot CLI, Codex CLI, or Gemini CLI)

Step-by-step guide

1

Install the package

Install Agentinel as a dev dependency in your project. It ships with the bundled OSV database, so there are no extra downloads.

npm install --save-dev agentinel

Prefer pnpm or yarn? Both work fine: pnpm add -D agentinel

2

Run the init command

The asen init command auto-detects which AI agents you have installed and wires up the appropriate hooks. It also installs a Git pre-commit hook to scan your staged lockfile on every commit.

npx asen init

This writes hooks.json (Claude Code), .agentinel.json, and a Git hook to your project root.

3

Verify the setup

After a successful asen init, you should see output similar to:

  agentinel v1.0.0 initialized

  Hooks wired:
    Claude Code   hooks.json        OK
    Codex CLI     .codex/config     OK
    Copilot CLI   .copilot/config   OK
    Gemini CLI    .gemini/config    OK

  Git pre-commit hook installed.
  Config written to .agentinel.json

  Run `npx asen check` to scan your current lockfile.

Only the agents you have installed will appear in the hooks list.

Optional: Installing the PATH shim

If your agent runs npm directly (rather than through a hook), you can install a global PATH shim that intercepts all npm install calls system-wide before forwarding them to the real npm binary.

npx asen init --shim

Shim caveat

The PATH shim modifies your shell profile and replaces the npm command globally. To remove it cleanly, run npx asen unshim.

Optional: CI/CD integration

Use npx asen check in your pipeline to scan staged lockfile dependencies before they land in production. Add it to your CI step:

# GitHub Actions example
- name: Scan dependencies with Agentinel
  run: npx asen check

The command exits with code 1 if any flagged packages are detected, causing the pipeline to fail.

Next steps