A powerful CLI tool to secure your software supply chain by analyzing dependencies for trust, security risks, and quality signals
Project description
GardWatch 🛡️
GardWatch is a powerful CLI tool designed to secure your software supply chain by analyzing dependencies for trust, security risks, and quality signals. It goes beyond simple vulnerability scanning by evaluating the "health" and "trustworthiness" of a package using a composite scoring system.
Key Features
- Multi-Ecosystem Support: Analyzes packages from PyPI (Python), npm (JavaScript), Go, Cargo (Rust), Maven (Java), and NuGet (.NET).
- Trust Scoring Engine: Assigns a score (0-100) based on multiple factors:
- Malware Detection: Checks against known malicious package databases.
- Age & Maturity: Rewards established packages, flags suspicious "brand new" uploads.
- downloads Popularity: Context-aware scoring based on download counts (identifies critical infrastructure vs. obscure packages).
- Security Best Practices: Integrates OpenSSF Scorecard data.
- Metadata Quality: Checks for valid repository links, descriptions, and consistent versioning.
- Threat Detection: Identifies typosquatting, namespace squatting, and homoglyph attacks.
- Deep Code Scan: Optional feature to download and scan the source code of a package for suspicious patterns (e.g., obfuscated code, network calls).
- Broad Input Support: Parses
requirements.txt,package.json,Pipfile,go.mod,Cargo.toml,pom.xml,*.csproj, and CycloneDX SBOMs.
Installation
GardWatch requires Python 3.12+.
Option 1: Install via pip (Recommended)
# Install from source
pip install git+https://github.com/GarderaSecurity/gardwatch.git
# Or clone and install locally
git clone https://github.com/GarderaSecurity/gardwatch.git
cd gardwatch
pip install .
# For development installation (editable)
pip install -e .
Option 2: Using Pipenv (Development)
# Clone the repository
git clone https://github.com/GarderaSecurity/gardwatch.git
cd gardwatch
# Install dependencies
pipenv install
Usage
1. Analyze Dependency Files
Scan your project's dependency files to get a full health report.
# Analyze a Python requirements file
gardwatch analyze requirements.txt
# Analyze a Node.js package.json
gardwatch analyze package.json
# Analyze multiple files
gardwatch analyze requirements.txt package.json Cargo.toml
Options:
--deep: Enable deep source code scanning (downloads packages to temp dir).--sbom: Force treating the input file as a CycloneDX SBOM.--verbose: Enable debug logging (useful for troubleshooting network issues).
2. Quick Package Scan
Check a single package before you install it.
# Check a PyPI package
gardwatch scan requests --pypi
# Check an npm package
gardwatch scan react --npm
# Check a Rust crate
gardwatch scan serde --cargo
Supported Flags: --pypi, --npm, --go, --cargo, --maven, --nuget.
How It Works
GardWatch aggregates data from multiple sources, including deps.dev, pypistats.org, npmjs.org, and ecosystem-specific registries. It applies a set of heuristic checks to generate a report:
| Check | Impact | Description |
|---|---|---|
| Malware | ⛔ CRITICAL | Immediate failure if package matches known malware. |
| Typosquatting | ⛔ CRITICAL | Flags names deceptively similar to popular packages. |
| Age | +20 pts | Mature packages (>1 year) gain trust. Very young packages may be penalized. |
| Downloads | +30 pts | High download counts indicate community vetting and popularity. |
| Security Score | +20 pts | High OpenSSF Scorecard rating (e.g., Code Review, Branch Protection). |
| Repository | +10 pts | Links to a valid source code repository. |
🛡️ License
MIT
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file gardwatch-0.1.0.tar.gz.
File metadata
- Download URL: gardwatch-0.1.0.tar.gz
- Upload date:
- Size: 29.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
3c59fafa8d8ca8263c929d129e146b3d8b3e9980837ec7db3e8457ade459c222
|
|
| MD5 |
5acddeae8adaa1810e2923ef621d39fd
|
|
| BLAKE2b-256 |
bfd36313c87588c9822ed41966912c340bef8ed3782737ff4ab646dcb0746605
|
Provenance
The following attestation bundles were made for gardwatch-0.1.0.tar.gz:
Publisher:
publish.yaml on GarderaSecurity/gardwatch
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gardwatch-0.1.0.tar.gz -
Subject digest:
3c59fafa8d8ca8263c929d129e146b3d8b3e9980837ec7db3e8457ade459c222 - Sigstore transparency entry: 1310279951
- Sigstore integration time:
-
Permalink:
GarderaSecurity/gardwatch@2fec81019373c43a5bd218f89405ca1362d0b6d0 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/GarderaSecurity
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yaml@2fec81019373c43a5bd218f89405ca1362d0b6d0 -
Trigger Event:
push
-
Statement type:
File details
Details for the file gardwatch-0.1.0-py3-none-any.whl.
File metadata
- Download URL: gardwatch-0.1.0-py3-none-any.whl
- Upload date:
- Size: 33.5 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.12
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e98e491f82372c7f550b4ebaf59a3f86ff81e53a6630ee937e79d7638f15ac43
|
|
| MD5 |
8af6723d2264de360c97146f69c277d1
|
|
| BLAKE2b-256 |
1dd6896d5bcf99486f117a4cd78e78ee3305a84dbed7dbec98dfefff3f527b18
|
Provenance
The following attestation bundles were made for gardwatch-0.1.0-py3-none-any.whl:
Publisher:
publish.yaml on GarderaSecurity/gardwatch
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
gardwatch-0.1.0-py3-none-any.whl -
Subject digest:
e98e491f82372c7f550b4ebaf59a3f86ff81e53a6630ee937e79d7638f15ac43 - Sigstore transparency entry: 1310280074
- Sigstore integration time:
-
Permalink:
GarderaSecurity/gardwatch@2fec81019373c43a5bd218f89405ca1362d0b6d0 -
Branch / Tag:
refs/tags/v0.1.0 - Owner: https://github.com/GarderaSecurity
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yaml@2fec81019373c43a5bd218f89405ca1362d0b6d0 -
Trigger Event:
push
-
Statement type: