OceanCrow-PDG 0.1.1

A Python dependency governance tool

OceanCrow_PDG - Python Dependency Governance Tool

Overview

OceanCrow_PDG is a Python package designed to revolutionize dependency management for developers. It combines dependency installation, security vulnerability scanning, license compliance checking, and a unique dependency governance system with digital signing. Inspired by the secure collaboration features of OceanCrow-RedPill, this tool ensures that only approved and secure dependencies are integrated into your Python projects.

Key Features

• Dependency Management: Install and resolve dependencies with ease.
• Security Scanning: Detect vulnerabilities using the safety tool.
• License Compliance: Verify licenses against a configurable allowlist.
• Dependency Governance: Require dependencies to be reviewed, approved, and digitally signed using RSA key pairs, preventing unvetted packages from being used.
• Strict Mode: Enforce approval checks before installation.

Installation

1. Ensure you have Python 3.7+ installed.
2. Install OceanCrow_PDG via PyPI:

   pip install OceanCrow_PDG
   

Alternatively, clone the repository and install locally:

git clone https://github.com/OceanCrow-TT/OceanCrow_PDG.git
cd OceanCrow_PDG
pip install .

Usage

Initialize the Project

Set up the project with a key pair and configuration:

pdg init

Enter a passphrase when prompted to generate RSA keys and initialize the approval list.

Review a Package

Check a package and its dependencies for security and license issues:

pdg review requests==2.25.1

Outputs a report on vulnerabilities and license compliance.

Approve a Package

Sign and approve a package and its dependencies:

pdg approve requests==2.25.1

Enter the passphrase to sign the dependencies.

Install a Package

Install a package only if all dependencies are approved:

pdg install requests==2.25.1

In strict mode, unapproved dependencies block installation unless reviewed and approved.

Configuration

The tool uses a .pdg/pdg_config.json file to store settings:

• allowed_licenses: List of acceptable licenses (e.g., ["MIT", "Apache-2.0"]).
• strict_mode: Boolean to enforce approval checks (default: True).

Edit this file to customize your project's policies.

Dependencies

• click: For the command-line interface.
• cryptography: For digital signing.
• requests: To fetch PyPI metadata.
• pip-tools: For dependency resolution.
• safety: For security scanning.

Install them via requirements.txt:

pip install -r requirements.txt

Development

1. Clone the repo: git clone https://github.com/OceanCrow-TT/OceanCrow_PDG.git
2. Install development dependencies: pip install -r requirements.txt
3. Run tests: python -m unittest discover tests

Contributing

See CONTRIBUTING.md for guidelines on how to contribute.

License

This project is licensed under the MIT License. See LICENSE.txt for details.

Author

Sheldon K Salmon (OceanCrowtt@gmail.com)

Acknowledgments

• Built with assistance from Grok 3 by xAI.
• Inspired by the success of OceanCrow-RedPill.

Version

Current: 0.1.1