Skip to main content

A powerful CLI tool to secure your software supply chain by analyzing dependencies for trust, security risks, and quality signals

Project description

GardWatch

GardWatch 🛡️

GardWatch is a powerful CLI tool designed to secure your software supply chain by analyzing dependencies for trust, security risks, and quality signals. It goes beyond simple vulnerability scanning by evaluating the "health" and "trustworthiness" of a package using a composite scoring system.

Key Features

  • Multi-Ecosystem Support: Analyzes packages from PyPI (Python), npm (JavaScript), Go, Cargo (Rust), Maven (Java), and NuGet (.NET).
  • Trust Scoring Engine: Assigns a score (0-100) based on multiple factors:
    • Malware Detection: Checks against known malicious package databases.
    • Age & Maturity: Rewards established packages, flags suspicious "brand new" uploads.
    • downloads Popularity: Context-aware scoring based on download counts (identifies critical infrastructure vs. obscure packages).
    • Security Best Practices: Integrates OpenSSF Scorecard data.
    • Metadata Quality: Checks for valid repository links, descriptions, and consistent versioning.
    • Threat Detection: Identifies typosquatting, namespace squatting, and homoglyph attacks.
  • Deep Code Scan: Optional feature to download and scan the source code of a package for suspicious patterns (e.g., obfuscated code, network calls).
  • Broad Input Support: Parses requirements.txt, package.json, Pipfile, go.mod, Cargo.toml, pom.xml, *.csproj, and CycloneDX SBOMs.

Installation

GardWatch requires Python 3.12+.

Option 1: Install via pip (Recommended)

# Install from source
pip install git+https://github.com/GarderaSecurity/gardwatch.git

# Or clone and install locally
git clone https://github.com/GarderaSecurity/gardwatch.git
cd gardwatch
pip install .

# For development installation (editable)
pip install -e .

Option 2: Using Pipenv (Development)

# Clone the repository
git clone https://github.com/GarderaSecurity/gardwatch.git
cd gardwatch

# Install dependencies
pipenv install

Usage

1. Analyze Dependency Files

Scan your project's dependency files to get a full health report.

# Analyze a Python requirements file
gardwatch analyze requirements.txt

# Analyze a Node.js package.json
gardwatch analyze package.json

# Analyze multiple files
gardwatch analyze requirements.txt package.json Cargo.toml

Options:

  • --deep: Enable deep source code scanning (downloads packages to temp dir).
  • --sbom: Force treating the input file as a CycloneDX SBOM.
  • --verbose: Enable debug logging (useful for troubleshooting network issues).

2. Quick Package Scan

Check a single package before you install it.

# Check a PyPI package
gardwatch scan requests --pypi

# Check an npm package
gardwatch scan react --npm

# Check a Rust crate
gardwatch scan serde --cargo

Supported Flags: --pypi, --npm, --go, --cargo, --maven, --nuget.

How It Works

GardWatch aggregates data from multiple sources, including deps.dev, pypistats.org, npmjs.org, and ecosystem-specific registries. It applies a set of heuristic checks to generate a report:

Check Impact Description
Malware CRITICAL Immediate failure if package matches known malware.
Typosquatting CRITICAL Flags names deceptively similar to popular packages.
Age +20 pts Mature packages (>1 year) gain trust. Very young packages may be penalized.
Downloads +30 pts High download counts indicate community vetting and popularity.
Security Score +20 pts High OpenSSF Scorecard rating (e.g., Code Review, Branch Protection).
Repository +10 pts Links to a valid source code repository.

🛡️ License

MIT

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

gardwatch-0.1.2.tar.gz (29.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

gardwatch-0.1.2-py3-none-any.whl (33.7 kB view details)

Uploaded Python 3

File details

Details for the file gardwatch-0.1.2.tar.gz.

File metadata

  • Download URL: gardwatch-0.1.2.tar.gz
  • Upload date:
  • Size: 29.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gardwatch-0.1.2.tar.gz
Algorithm Hash digest
SHA256 db0fa7feee2800e8898772873e9b139cc39baec24efc613835a6acf7126438ed
MD5 79a5b4d46529e4c3d6029c4020e42421
BLAKE2b-256 7d07684c907bc53fe94fcbb2ee2ef7b68d3ce1b8d16f6230ae09301db01dc2fe

See more details on using hashes here.

Provenance

The following attestation bundles were made for gardwatch-0.1.2.tar.gz:

Publisher: publish.yaml on GarderaSecurity/gardwatch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file gardwatch-0.1.2-py3-none-any.whl.

File metadata

  • Download URL: gardwatch-0.1.2-py3-none-any.whl
  • Upload date:
  • Size: 33.7 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for gardwatch-0.1.2-py3-none-any.whl
Algorithm Hash digest
SHA256 695513b5159c04f273556d4f47f59c82a7e9496600ec11a675312e88314912a6
MD5 0b02ee21e3f9a36224b25cb33cb4214b
BLAKE2b-256 ece7da1ca912c402ac56c7fe863e1c2457401e03e838c80f39541a1567753d50

See more details on using hashes here.

Provenance

The following attestation bundles were made for gardwatch-0.1.2-py3-none-any.whl:

Publisher: publish.yaml on GarderaSecurity/gardwatch

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page