Local-first supply chain vulnerability scanner for project, system, and extensions.

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jattinder16 from gravatar.com jattinder16

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Supply Chain Scanner Contributors
  • Tags security , supply-chain , vulnerability , scanner , sbom
  • Requires: Python >=3.10
Classifiers
Report project as malware

Project description

Supply Chain Scanner

Local-first vulnerability scanner for project dependencies, developer tools, and IDE extensions.
Uses multi-source intelligence (OSV, NVD, GHSA, Sonatype) with KEV/EPSS prioritization.

No API key required for default usage.

Public repo: https://github.com/DevInder1/supply-chain-scanner-public

Install (plug and play)

Python (recommended)

pip install devinder-supply-chain-scanner

supply-chain-scanner --scan all --project-path . --output-dir scanner-output

npm (Node wrapper)

Requires Python 3.10+ and the pip package above.

npm install -g @devinder1/supply-chain-scanner-cli

supply-chain-scanner --scan project --project-path .

Use in your own Python app

from scanner import run_scan

summary = run_scan(
    project_path=".",
    scan="all",
    run_profile="full",  # no API key required
    output_dir="scanner-output",
)
print(summary["summary"])

Scan profiles

Profile Description
full (default) Project + system + extensions. OSV + NVD without keys.
quick Faster project-focused scan.
offline Local advisory DB only, no network.
Power-user Add GITHUB_TOKEN, NVD_API_KEY, optional SONATYPE_TOKEN for best coverage.

Desktop app

cd apps/desktop
npm install
npm run start

Development

git clone https://github.com/DevInder1/supply-chain-scanner-public.git
cd supply-chain-scanner-public
python3 -m pip install -e .
supply-chain-scanner --help
python3 -m unittest scanner.tests.test_matcher_ranges -v

CLI contract: docs/cli-contract.md
Publishing: docs/PUBLISHING.md

Optional API keys (power users)

Variable Purpose
NVD_API_KEY Higher NVD rate limits
GITHUB_TOKEN GHSA advisories
SONATYPE_TOKEN Sonatype Guide advisories

Set in .env or environment variables.

License

MIT — see LICENSE

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for jattinder16 from gravatar.com jattinder16

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License Expression: MIT
    SPDX License Expression
  • Author: Supply Chain Scanner Contributors
  • Tags security , supply-chain , vulnerability , scanner , sbom
  • Requires: Python >=3.10
Classifiers

Release history Release notifications | RSS feed

This version

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distributions

No source distribution files available for this release.See tutorial on generating distribution archives.

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

devinder_supply_chain_scanner-0.1.0-py3-none-any.whl (92.1 kB view details)

Uploaded Python 3

File details

Details for the file devinder_supply_chain_scanner-0.1.0-py3-none-any.whl.

File metadata

File hashes

Hashes for devinder_supply_chain_scanner-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 4d501895b5768285033e08ad2d1faae901505dc0a9bf92525f642b2765a22bf4
MD5 e1ed56efa0b1569dfb1417807dc2ee63
BLAKE2b-256 015450dcae58983b2c41db0d10bfd51553f759e1de982784b5e27dc57dc53382

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page