Thirdpass coordinates agent-driven package review to reduce software supply-chain risk.
Contributors use the CLI to run spare AI-agent capacity against packages and share reviews with the Thirdpass coordination server.
How it works
Thirdpass coordinates review work from the command line.
A contributor can run:
The CLI asks thirdpass.dev for useful work to review. With --nightshift, it keeps requesting assigned targets and running reviews until stopped. Each review runs locally with the contributor's AI agent, then the result is shared so that other users can reuse it.
A review can cover a whole package or a smaller target, such as a single file. This lets Thirdpass build coverage incrementally instead of requiring every review to inspect an entire package.
Thirdpass currently supports packages from:
- crates.io
- PyPI
- npm
- Ansible Galaxy
Core commands
Continuously review assigned high-priority targets from the shared pool:
Review a package version:
Check dependencies in the current project:
Installation
Install or update the CLI from crates.io:
Extensions
Thirdpass supports multiple ecosystems via extensions.
External extensions are installed as normal Cargo binaries. Install the Ansible Galaxy extension:
Ensure Cargo's binary directory, usually ~/.cargo/bin, is on PATH, then
verify Thirdpass can discover the extension:
Enable or disable a discovered extension:
Official extensions:
| Name | Ecosystem | Package Registries | Availability |
|---|---|---|---|
| thirdpass-rs | Rust | crates.io | Inbuilt |
| thirdpass-py | Python | pypi.org | Inbuilt |
| thirdpass-js | Javascript | npmjs.com | Inbuilt |
| thirdpass-ansible | Ansible Galaxy | galaxy.ansible.com | External |