Scan Python packages for supply chain attacks before installing them
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Project description
pipguard
Python supply chain security tool. Scan packages before installing them.
pip install pipguard
pipguard install litellm==1.82.8 # Blocks the March 2026 attack. Exits 1.
Zero configuration. Zero external dependencies. Pure stdlib.
The Problem
The March 2026 litellm attack (97M downloads/month) embedded Python code in a .pth
file — executed automatically at interpreter startup, exfiltrating SSH keys, AWS credentials,
and Kubernetes configs from a single pip install.
Classical tools (pip-audit, GuardDog) are blind to zero-day attacks. They check known signatures. pipguard asks a different question:
Should any
pip installbe allowed to read~/.ssh/id_rsa?
The answer is no. And that question doesn't require a database.
Installation
Install pipguard outside your project's virtualenv — this prevents untrusted package code from tampering with the scanner itself.
# Recommended: isolated, persistent install
pipx install pipguard
# CI / one-off use (no pre-install needed)
uvx pipguard install -r requirements.txt
# Standard
pip install pipguard
Usage
# Install a single package
pipguard install requests
# Install from requirements.txt
pipguard install -r requirements.txt
# CI mode: never prompts, exits 1 on CRITICAL/HIGH
pipguard install --yes -r requirements.txt
# Allow a known-legitimate package that accesses credentials
pipguard install --allow paramiko -r requirements.txt
# Override for known false-positives (use with care)
pipguard install --force my-trusted-internal-pkg
# Show full LOW/CLEAN scan details
pipguard install --verbose requests
# Show raw pip install output
pipguard install --show-pip-output requests
By default, pipguard prints a risk summary, expands CRITICAL / HIGH / MEDIUM,
collapses LOW to package-level counts, and keeps successful pip install logs quiet.
Use --verbose for full scan details and --show-pip-output to restore raw pip logs.
For the full reference — risk levels, exit codes, allowlist, and CI integration — see the documentation.
License
MIT
Project details
Verified details
These details have been verified by PyPIProject links
GitHub Statistics
Maintainers
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pipguard-0.3.3.tar.gz.
File metadata
- Download URL: pipguard-0.3.3.tar.gz
- Upload date:
- Size: 362.5 kB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
91b0e436abb7af8174c5a49a99e71447b0df0faed46047268bb83762dcb4cf74
|
|
| MD5 |
e2c337f781ae359c7e92dc9f4f21166f
|
|
| BLAKE2b-256 |
479b94771504aca04f7fbd36605f372a69d6b8678f09036b100fbdca4acf9eae
|
Provenance
The following attestation bundles were made for pipguard-0.3.3.tar.gz:
Publisher:
publish.yml on shenxianpeng/pipguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pipguard-0.3.3.tar.gz -
Subject digest:
91b0e436abb7af8174c5a49a99e71447b0df0faed46047268bb83762dcb4cf74 - Sigstore transparency entry: 1289102406
- Sigstore integration time:
-
Permalink:
shenxianpeng/pipguard@cc17e2dfe141f5422604d2be675f13f44b85f039 -
Branch / Tag:
refs/tags/v0.3.3 - Owner: https://github.com/shenxianpeng
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@cc17e2dfe141f5422604d2be675f13f44b85f039 -
Trigger Event:
push
-
Statement type:
File details
Details for the file pipguard-0.3.3-py3-none-any.whl.
File metadata
- Download URL: pipguard-0.3.3-py3-none-any.whl
- Upload date:
- Size: 24.3 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
fe99ae06437dc13e9e6fd195742d1c435ec5e27713b69e88a41cac74cbe96a2d
|
|
| MD5 |
89271560e1ebdcb7536385d50bbf06d4
|
|
| BLAKE2b-256 |
fc9640a667f5507d4accf0dc2ecff5a90667eb1e9d4fff6e75d5869aeedc7341
|
Provenance
The following attestation bundles were made for pipguard-0.3.3-py3-none-any.whl:
Publisher:
publish.yml on shenxianpeng/pipguard
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pipguard-0.3.3-py3-none-any.whl -
Subject digest:
fe99ae06437dc13e9e6fd195742d1c435ec5e27713b69e88a41cac74cbe96a2d - Sigstore transparency entry: 1289102476
- Sigstore integration time:
-
Permalink:
shenxianpeng/pipguard@cc17e2dfe141f5422604d2be675f13f44b85f039 -
Branch / Tag:
refs/tags/v0.3.3 - Owner: https://github.com/shenxianpeng
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
publish.yml@cc17e2dfe141f5422604d2be675f13f44b85f039 -
Trigger Event:
push
-
Statement type:
