Open Source · Local Endpoint Developer Tool

LEGION

A Local Endpoint Developer Tool

Legion is a local endpoint developer tool that scans your packages for CVEs, flags connections to known-malicious IPs, catches typosquatted and vulnerable AI SDK packages, runs continuously-updated YARA rules, and models a heuristic baseline of the host, then reports the drift. One Rust binary, no runtime dependencies, on Linux and Windows.

↓  Download for your OSView SourceBack to WRAITH
Latest releaseLinux · WindowsRust · no runtime

What It Does

A continuously-updated security monitor that watches packages, connections, files, and host state, all on the machine, all open source.

CVE Package Scanning

Scans installed packages against OSV and CISA KEV to flag known-vulnerable and actively-exploited dependencies across ecosystems.

Malicious IP Detection

Flags outbound connections to known-bad infrastructure using live ThreatFox and AbuseIPDB intelligence.

AI SDK Supply-Chain

Detects typosquatted and vulnerable AI SDK packages before they make it into your build.

Pure-Rust YARA Engine

A dependency-free YARA-compatible engine scans files on Linux and Windows with per-OS, continuously-updated rules.

Heuristic Baseline & Drift

Fingerprints the host on first launch, then reports drift: new processes, new outbound peers, new packages, and fresh YARA hits.

Live Threat Intel

Pulls and caches CISA KEV and ThreatFox feeds so correlation runs locally and fast, even offline between refreshes.

Quarantine & Remediation

Quarantine risky packages and print the exact removal command straight from the CLI or dashboard.

Dashboard, CLI & TUI

Run it your way: a localhost browser dashboard, a scriptable CLI, or a terminal TUI. Same engine, one binary.

One Dashboard, Three Surfaces

A localhost browser dashboard for the full picture, a CLI for automation, and a TUI for the terminal, same engine underneath.

Legion browser dashboard showing host telemetry, alerts, and threat feeds
The Legion web dashboard at localhost:3000, with host gauges, package and connection findings, threat-feed status, and the live audit log.

Download Legion

Native builds for every desktop OS. Grab the archive for your platform, extract, and run. No runtime to install.

Resolving latest release…

Linux

x86_64 · musl static

Windows

x86_64 · MSVC

Each archive contains the legion CLI, the legion-web dashboard, and the TUI. Verify checksums and browse older builds on GitHub Releases.

Secure by Construction

Legion delegates access control to the operating system and keeps everything on the host.

Loopback by default

legion-web binds 127.0.0.1, rejects non-loopback Host headers (DNS-rebinding guard), emits no CORS, sets strict security headers, and rate-limits requests.

OS-native access control

No in-app login. Elevation goes through the native prompt (UAC on Windows, polkit on Linux), and the database, config, and rules are created owner-only (0600/0700).

Audit trail & compliance

Sensitive actions are written to an audit log, with controls mapped to OWASP Top 10, NIST 800-53, and SOC 2 in COMPLIANCE.md.