Configuration

Bouncer stores configuration in ~/.bouncer/config.json. Most users don't need to change anything.

Config commands

$ bouncer config get min_package_hours
48
$ bouncer config set min_package_hours 72

Settings

KeyDescriptionDefault
min_package_hours Warn when a package is newer than this many hours 48
min_downloads Warn when a package has fewer than this many weekly downloads 100
paranoid Block warnings in script mode instead of silencing them false

Rules

Every heuristic rule has a default behavior of allow, warn, or block. Override any of these defaults by running bouncer config set rules with a rule ID and your desired action.

$ bouncer config get rules
# list every rule and its current severity
$ bouncer config get rules typosquat
warn (default)
$ bouncer config set rules typosquat block
# run with no severity for an interactive picker
Rule IDDescriptionDefault
typosquatPackage name is suspiciously similar to a popular packagewarn
package_agePackage is below the minimum age thresholdwarn
low_downloadsPackage is below the minimum downloads thresholdwarn
no_readmePackage has no READMEwarn
install_scriptPackage runs scripts during installationwarn
eval_base64Eval of base64-encoded datawarn
exec_decodeExec of decoded datawarn
exfil_serviceExfiltration service URLwarn
ngrok_tunnelNgrok tunnel URLwarn
pipe_to_shellPipe-to-shell executionwarn
env_var_accessEnvironment variable access in install script or entry pointwarn
telegram_upload_apiTelegram upload API in package entry pointwarn
discord_webhook_apiDiscord webhook API in package entry pointwarn
burp_collaborator_apiBurp Collaborator callback in package entry pointwarn
binary_no_sourcePackage contains no readable source codewarn
burp_collaboratorBurp Collaborator callback URLblock
telegram_exfilTelegram document exfiltrationblock
discord_webhookDiscord webhook in install scriptblock

Environment variables

VariableDescription
BOUNCER_API_KEY Override API key (useful in CI)