boomgate 0.0.1a3

A software supply chain risk management tool

Boomgate

Identify and mitigate the risks of using third-party libraries.

---

This project is not remotely ready for anyone to look at, let alone use. It is in a very early proof-of-concept stage, focusing on iterative research and development. I have not settled on the project's architecture, and I am still exploring the problem space. As such, the quality of the code is very poor, and things are guaranteed to change.

I will not provide support, nor will I accept PRs at this time.

---

Vision

I intend for Boomgate to allow you to define a policy for your project that describes the risks you are willing to accept when using third-party libraries. Boomgate will evaluate your project's dependencies against this policy, report on any risks that you deem unacceptable, and—also per your defined policy—suggest mitigation strategies.

For example, you may decide that you are not willing to use a dependency if its author's email address's domain is not registered (i.e. DNS returns NXDOMAIN), or you may decide that all dependencies (barring a list of excepted 'trusted' dependencies) require a security audit before they can be used.

In this example, Boomgate can be configured to block your project's CI/CD pipeline if one of these conditions is met by your project's resolved dependencies.

See my rough list of idea in the GitHub issues list.

Developing

Clone the repository and run the following command:

uv pip install -e . -r pyproject.toml --extra=dev --extra=docs

This will install the project in editable mode with all development dependencies.

Running tests

pytest