Install-Time Control is a security measure that checks, warns about, or blocks software before it is added to a project or environment. Instead of waiting for a scanner to find problems after deployment, the control acts at the moment a developer installs a package, plugin, or dependency.
This matters because many supply-chain attacks begin with a risky dependency: typosquatted packages, malicious updates, or libraries with known vulnerabilities. By enforcing policy before installation, defenders can stop dangerous code from entering developer machines, CI systems, or production build pipelines. In practice, install-time controls may compare packages against allowlists, reputation data, vulnerability rules, or signed metadata, and they may route uncertain cases to review. They are especially useful when teams use large open-source ecosystems, where manual review of every dependency is impossible. The goal is simple: reduce exposure early, before untrusted software becomes part of the build.



