litellm-supply-chain-auditor 0.1.0

Security auditor for LLM library supply chains - detects compromised PyPI packages

litellm-supply-chain-auditor

Scan Python projects for compromised LLM dependencies. Think npm audit for your AI stack.

What is this?

A CLI tool and GitHub Action that detects malicious or compromised versions of popular LLM libraries (LiteLLM, LangChain, LlamaIndex) in your Python projects. It verifies package integrity against known-good hashes, cross-references against CVE databases, and generates detailed security audit reports—all designed to address the real supply chain vulnerabilities affecting AI teams today.

Features

• Dependency Scanning: Analyzes requirements.txt, pyproject.toml, and poetry.lock files
• Hash Verification: Validates package integrity against PyPI records and historical snapshots
• CVE Detection: Real-time integration with GitHub Advisory Database for known compromises
• Blast Radius Analysis: Visualize dependency trees to understand the impact of compromised packages
• GitHub Action: Drop-in CI/CD integration for continuous monitoring
• Security Reports: Generate detailed audit reports with remediation guidance
• Pre-commit Hook: Catch vulnerable dependencies before they're committed

Quick Start

Installation

pip install litellm-supply-chain-auditor

Basic Usage

# Scan your project
litellm-auditor scan

# Scan a specific directory
litellm-auditor scan --path /path/to/project

# Generate a full audit report
litellm-auditor audit --output report.pdf

# Verify specific package versions
litellm-auditor verify litellm==1.0.0

GitHub Action

Add to .github/workflows/security.yml:

name: LLM Supply Chain Audit
on: [push, pull_request]

jobs:
  audit:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v3
      - uses: your-org/litellm-supply-chain-auditor@v1
        with:
          fail-on-vulnerability: true

Pre-commit Hook

Add to .pre-commit-config.yaml:

- repo: https://github.com/your-org/litellm-supply-chain-auditor
  rev: v1.0.0
  hooks:
    - id: litellm-audit

Usage Examples

# Scan and display results in terminal
$ litellm-auditor scan
✓ Requirements parsed: 24 dependencies
⚠ Checking against CVE database...
✗ CRITICAL: litellm 0.1.911 is known compromised
  → Upgrade to 0.1.912 or later
  → See: https://github.com/advisories/...

# Export detailed JSON report
$ litellm-auditor scan --format json --output audit.json

# Strict mode: fail if any vulnerability found
$ litellm-auditor scan --strict

Tech Stack

• Language: Python 3.8+
• CLI Framework: Click
• Data Format: Rich for terminal output
• API Integration: Requests (GitHub Advisory Database)
• Testing: pytest
• Packaging: pyproject.toml (setuptools)
• CI/CD: GitHub Actions

Monitored Packages

• LiteLLM
• LangChain
• LlamaIndex

See MONITORED_PACKAGES.md for the complete list and update cadence.

Contributing

We welcome contributions! Please see CONTRIBUTING.md for guidelines.

License

MIT License — see LICENSE for details.