Skip to main content

Pre-install CVE gate for pip — blocks vulnerable and freshly published packages before install

Project description

pip-cve-gate

Pre-install CVE gate for pip. Blocks vulnerable and freshly published packages before any code runs on your machine.

safe-pip install flask requests django
# [pip-cve-gate] Scanning 3 package(s)…
# [pip-cve-gate] Resolved 27 package(s) (incl. transitive deps)
# [pip-cve-gate] All clear — delegating to pip

If a package is blocked:

safe-pip install somelib
# [pip-cve-gate] BLOCKED — install aborted
#   [CVE] 'somelib==1.2.3' has known vulnerabilities: GHSA-xxxx-yyyy-zzzz
#   [FRESH_HOLD] 'dep==0.0.1' was published 1d ago (hold: 3d). Use --skip-fresh-hold to override.

Exit code 0 = clean, 1 = blocked, 2 = error.


Why

Post-install tools (pip-audit, safety) run after pip has already downloaded and potentially executed install scripts. By then it's too late for zero-hour supply chain attacks.

pip has no native plugin hook for pre-install scanning. pip-cve-gate fills that gap with a wrapper that resolves the full dependency tree, scans every package against three independent feeds, and only delegates to real pip when everything is clean.

The closest prior art — pipask — checks PyPI advisories but lacks freshness hold and OSSF malicious package coverage. pip-cve-gate covers all three.


What it checks

Signal Source Fail behaviour
Known CVEs / advisories OSV.dev + PyPI Advisory DB Block
OSSF malicious packages ossf/malicious-packages Block
Freshness hold (default 3d) PyPI upload timestamp Block (overridable)

Network failures fail open — a broken feed never blocks your CI.


Install

pip install pip-cve-gate

Or run directly from the repo without installing:

git clone https://github.com/sharkyger/pip-cve-gate
cd pip-cve-gate
python bin/safe-pip install flask

Usage

safe-pip accepts the same arguments as pip install:

safe-pip install flask
safe-pip install "django>=4.2" "celery==5.3.6"
safe-pip install flask --skip-fresh-hold   # bypass freshness hold

Non-install subcommands are passed through unchanged:

safe-pip list
safe-pip show flask
safe-pip uninstall flask

Configuration

Variable Default Description
PIP_CVE_GATE_FRESH_HOLD_DAYS 3 Days a new release must age before install
PIP_CVE_GATE_TIMEOUT 10 HTTP timeout in seconds
PIP_CVE_GATE_MAX_DEPTH 5 Max transitive dependency depth
PIP_CVE_GATE_PIP_BIN pip Path to real pip binary

Part of the safe-install fleet

pip-cve-gate is part of a pre-install CVE gate fleet for different package ecosystems:

Ecosystem Tool
Homebrew homebrew-safe-upgrade
Composer (PHP) composer-cve-gate
pip (Python) pip-cve-gate ← you are here

Development

git clone https://github.com/sharkyger/pip-cve-gate
cd pip-cve-gate
python -m venv .venv && source .venv/bin/activate
pip install -e ".[dev]"
pytest -v
ruff check src/ tests/

License

MIT — see LICENSE.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pip_cve_gate-0.1.0.tar.gz (12.0 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pip_cve_gate-0.1.0-py3-none-any.whl (11.2 kB view details)

Uploaded Python 3

File details

Details for the file pip_cve_gate-0.1.0.tar.gz.

File metadata

  • Download URL: pip_cve_gate-0.1.0.tar.gz
  • Upload date:
  • Size: 12.0 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pip_cve_gate-0.1.0.tar.gz
Algorithm Hash digest
SHA256 745c5b6564342c90ae2c4ac8093af3017d2f1109f30ece05a95db6660f551d0c
MD5 5c05204952940ed4302d782e31e7124c
BLAKE2b-256 7c8b09e58525c1c935af639229da11c3416d8964d01cad372d9ff6caac1b228c

See more details on using hashes here.

Provenance

The following attestation bundles were made for pip_cve_gate-0.1.0.tar.gz:

Publisher: publish.yml on sharkyger/pip-cve-gate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pip_cve_gate-0.1.0-py3-none-any.whl.

File metadata

  • Download URL: pip_cve_gate-0.1.0-py3-none-any.whl
  • Upload date:
  • Size: 11.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pip_cve_gate-0.1.0-py3-none-any.whl
Algorithm Hash digest
SHA256 ddffcd30e0794a33a1a09f1043ff522782215fa53735aed3b8e014b41de8593f
MD5 890783e6023cec0802dfe7b30f1d0659
BLAKE2b-256 11e3fbe7de506d865a444138aa4ecb87ab1aa2c2b8de8aa6944b9d8d5cb8b678

See more details on using hashes here.

Provenance

The following attestation bundles were made for pip_cve_gate-0.1.0-py3-none-any.whl:

Publisher: publish.yml on sharkyger/pip-cve-gate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page