Scan pip packages for security risks before and after installation
Project description
pip-check-safety
Scan pip packages for security risks before and after installation.
Features
- Pre-installation checks: Scan packages before you install them
- Typosquatting detection: Catch packages trying to impersonate popular libraries
- Code scanning: Detect suspicious patterns like crypto miners, data exfiltration, obfuscation
- Environment audits: Scan all your installed packages at once
- Requirements scanning: Check your requirements.txt before deployment
Installation
pip install pip-check-safety
Usage
Check a package before installing
pip-check requests
Deep scan (downloads and analyzes source code)
pip-check --deep some-package
Audit all installed packages
pip-check --audit
Check a requirements file
pip-check -r requirements.txt
JSON output for CI/CD
pip-check --json requests
pip-check --audit --json
What it checks
PyPI Metadata
- Package age (brand new packages are higher risk)
- Download count (low downloads = less community vetting)
- Author information
- Source repository presence
Typosquatting
- Levenshtein distance to popular packages
- Common character swaps (0/o, 1/l, rn/m)
- Hyphen/underscore variations
- Suspicious suffixes (-official, -secure, etc.)
Code Patterns (deep scan)
- Dynamic code execution (exec, eval)
- Network exfiltration (socket connections, HTTP requests)
- Obfuscation (base64, marshal, ROT encoding)
- System access (subprocess, os.system)
- Credential theft patterns
- Crypto mining indicators
- Persistence mechanisms
Exit Codes
0- No issues or low risk only1- Medium risk findings2- High risk findings3- Critical risk findings
Use exit codes in CI/CD pipelines:
pip-check --audit
if [ $? -ge 2 ]; then
echo "High-risk packages detected!"
exit 1
fi
Python API
from pip_check import PyPIChecker, TyposquatDetector, CodeScanner, EnvironmentAuditor
# Check a single package
checker = PyPIChecker()
report = checker.check("requests")
report.print_report()
# Detect typosquatting
detector = TyposquatDetector()
report = detector.check("reqeusts") # typo
print(report.findings)
# Scan installed package code
scanner = CodeScanner()
report = scanner.scan_installed("some-package")
# Audit entire environment
auditor = EnvironmentAuditor(deep_scan=True)
reports = auditor.audit_all()
auditor.print_summary(reports)
Support
If this tool helped you, consider supporting:
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
pip_check_safety-1.0.1.tar.gz
(15.5 kB
view details)
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pip_check_safety-1.0.1.tar.gz.
File metadata
- Download URL: pip_check_safety-1.0.1.tar.gz
- Upload date:
- Size: 15.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e8a962d5c69c31967b4e4901e70852b565bda6cb73f34260a0aa38cd0e3c9bff
|
|
| MD5 |
9055ac126ec90fd0991c3afd809ad5f6
|
|
| BLAKE2b-256 |
ab880c72f36bb6b64d64d1a8acf5223b4c98ccb3bd6e07dc67502065e1538df6
|
File details
Details for the file pip_check_safety-1.0.1-py3-none-any.whl.
File metadata
- Download URL: pip_check_safety-1.0.1-py3-none-any.whl
- Upload date:
- Size: 16.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
e5b42be9aa205ab61698d78d1fd22857e609928a7fdc2bca34e7e0f3b8a4df6c
|
|
| MD5 |
52a187b1cda11241f844304de170f4ec
|
|
| BLAKE2b-256 |
e24ad5376b198ce542ed28da7ff57d095d8bfe277e21e055900b20a8fd3c099b
|
