Package Installation Logs
The English user guide is currently in beta preview. Most of the documents have been automatically translated from the Japanese version. Should you find any inaccuracies, please reach out to Flatt Security.
This feature requires an active Takumi subscription with Guard enabled. See Pricing & Billing for details.
Package installation logs record every package download that passes through the Takumi Guard registry proxy. This gives your organization a searchable audit trail of all package installations across CI/CD pipelines and developer machines.
What Is Logged
Each log entry includes:
| Field | Description |
|---|---|
| Timestamp | When the download occurred |
| Package | Package name and version |
| Ecosystem | npm or PyPI |
| Principal | Who initiated the download (organization, bot, or anonymous) |
| Status | Whether the download was allowed or blocked |
Viewing Logs
Navigate to Guard > Logs in the Shisho Cloud console. You can search by package name, filter by ecosystem (npm / PyPI), and specify a date range.
Use Cases
- Incident response: When a package is flagged as malicious, quickly identify which pipelines installed it and when.
- Compliance auditing: Maintain a record of all third-party dependencies consumed by your organization.
- Supply chain visibility: Understand which packages are being installed across your organization and spot unusual patterns.
Retention
Installation log data is searchable for up to 14 days from the date of recording.
After the 14-day searchable period, log data is retained solely for breach notification purposes. Log data older than 90 days may be deleted.
When a subscription is cancelled, log data is deleted in accordance with the terms of service.
If you would like to extend the retention period, please contact your account manager. Depending on your contract and usage, we may not be able to accommodate all requests.