Breach Notifications
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
A breach notification is sent when a security advisory is published for a package that you previously downloaded through Takumi Guard. This can happen when a package that was considered safe at the time of download is later found to be malicious or compromised.
How You Receive Notifications
Notification delivery depends on how you use Takumi Guard.
Email-Verified Users
If you authenticated with an email-verified token when you downloaded the package, Takumi Guard sends an email notification to your registered address. The email includes:
- The package name and version you downloaded
- When you downloaded it
- Why it was flagged (malware type or vulnerability description)
- Recommended action (remove the package, audit your environment, etc.)
No action is required on your part to enable this — breach notifications are automatic for all email-verified tokens.
GitHub Actions + Bot ID Users
For downloads attributed to a bot identity linked to a Shisho Cloud organization via GitHub Actions, organization-level webhook notifications will be available in the future. Webhook destinations and authentication settings will be configurable from the Shisho Cloud console.
Other Cases
If you use Takumi Guard anonymously (without authentication), downloads are not attributed to any identity, so you cannot receive breach notifications. To receive notifications, set up email registration or Bot ID integration with GitHub Actions.
Notification Flow
When a new advisory is published:
- Takumi Guard queries the download history for the affected package and version.
- It identifies all tokens that downloaded the package before the advisory was published.
- For each affected token, it sends a notification to the associated destination (email address, etc.).
Only tarball downloads (.tgz) are tracked — metadata requests (checking package info without installing) are not recorded. This means notifications reflect actual code execution risk.