PKG-Defender: Supply Chain Attack Defense CLI — Stop malicious packages BEFORE they reach your machine or CI pipeline.
Project description
Highlights
The supply chain attack defense CLI — Cooldown gates, multi-source threat intelligence, command wrappers, CI/CD interception, and lock file dependency auditing for all major package managers.
- Unified Command Wrapper:
pkgd [OPTIONS] MANAGER SUBCOMMAND [PACKAGE...] [MANAGER_OPTIONS...]- Wrap any supported "dangerous" package manager
command (
pkgd pip install requests,pkgd npm install express,pkgd brew upgrade tree, etc.) - "Dangerous Commands" are defined as any package manager command that has
the potential to put software on your machine (
install,update,download,add,sync, etc.)
- Wrap any supported "dangerous" package manager
command (
- Auto-Detect Manager: automatically detects package manager from project files or system packages
- Version Detection:
get_installed_version()for all 18 package managers across 10 ecosystems enables version comparison - Fail-Closed Security: any failure blocks installation with warning and options for informed manual override
- Alternative PM Coverage:
python -m pip,pipx,yarn,pnpmand other alt manager calls all supported - Cooldown Gates: configurable time-since-release hold window with per-package, tracked and auditable overrides (ships with a default of 7 days)
- Multi-source Threat Intelligence: OSV.dev, GHSA, Socket.dev, npm advisories, and more all synced and stored locally (with automatic staleness detection)
- Social Intelligence Feeds: Mastodon, Reddit, RSS, X/Twitter - free sources shipped / B.Y.O.K. options available (informational only — non-blocking)
- Lock File Auditing: all major formats:
package-lock.json,poetry.lock,requirements.txt,yarn.lock,pnpm-lock.yaml,uv.lock,Pipfile.lock(currently supported formats) - Background Daemon: automated background intelligence feed sync with OS-native launchd / systemd / Task Scheduler
- CI/CD Integration:
--fail-on-threatexits on CRITICAL/HIGH for secure pipeline gating
Why It Exists
The overwhelming frequency of recent supply chain attacks have shown how quickly malicious packages can spread. The threat landscape has changed significantly. Four of the most significant open-source supply chain attacks ever recorded all happened within the last few months of writing:
- TanStack Router (May 2026): A self-propagating worm
compromised 42
@tanstack/*packages and spread to 160+ others across npm and PyPI. The malicious versions carried valid SLSA Build Level 3 provenance attestations, meaning the supply chain controls that the industry spent years building offered zero protection. - Axios (March 2026): A North Korea-linked threat actor compromised the lead maintainer's account of the most popular JavaScript HTTP client (~100M weekly downloads) and published a cross-platform RAT targeting macOS, Windows, and Linux. The poisoned versions were live for under 3 hours. Thousands of installs happened anyway.
- LiteLLM (March 2026): Using tokens stolen via the Trivy compromise, attackers published backdoored releases of a widely-deployed AI gateway (~95M monthly downloads). The payload ran a three-stage attack: harvest SSH keys, AWS/GCP/Azure credentials, and Kubernetes secrets → move laterally across clusters → install a persistent systemd backdoor.
- Trivy (March 2026): The world's most popular container security scanner was weaponized. Attackers spoofed maintainer commits, pushed a malicious release, and used Trivy's own CI/CD runner access to steal publishing tokens from every downstream project that scanned with it — kicking off a cascade of follow-on attacks.
These incidents succeed because fresh packages are often installed based on trust alone. PKG-Defender adds a practical and secure defense layer: local threat intelligence and dependency auditing combined with a configurable cooldown window to catch the latest threats before they land on your machine, your dependency tree, or your production pipelines.
Installation
From PyPI
# Recommended with uv
uv pip install pkg-defender
# Alternative with pip
pip install pkg-defender
From Homebrew (macOS/Linux)
brew tap divisionseven/pkg-defender
brew install pkg-defender
Tap Trust (Homebrew 6.0.0+)
As of Homebrew 6.0.0, brew's automatic trust evaluation requires explicit trust confirmation for taps. If needed, users may be prompted to run:
brew trust divisionseven/pkg-defender
[!Important] Homebrew installation is not yet available. The formula will be activated upon v1.0.0 release. SHA256 checksums will be updated per-release. Once published, this note will be removed and the above commands will work as shown.
[!Note] The tap formula is available at the
homebrew-pkg-defenderrepository. View Tap →
From Binary (macOS/Linux/Windows)
Pre-built standalone binaries are attached to every GitHub Release:
- macOS (arm64):
pkgd-darwin-arm64 - macOS (x86_64):
pkgd-darwin-amd64 - Linux (x86_64):
pkgd-linux-amd64 - Windows (x86_64):
pkgd-windows-amd64.exe
Each binary has a matching .sha256 checksum file. Download, verify, and run:
# Example for macOS arm64
curl -LO https://github.com/divisionseven/pkg-defender/releases/latest/download/pkgd-darwin-arm64
curl -LO https://github.com/divisionseven/pkg-defender/releases/latest/download/pkgd-darwin-arm64.sha256
shasum -a 256 -c pkgd-darwin-arm64.sha256
chmod +x pkgd-darwin-arm64
./pkgd-darwin-arm64 --help
From Source
git clone https://github.com/divisionseven/pkg-defender
cd pkg-defender
# Using uv (recommended)
uv sync --dev
# Using pip
pip install -e ".[test,lint]"
Quick Start
# Simple setup wizard to configure settings,
# add optional secrets, sync intelligence feeds
pkgd setup
# Use the command wrapper pattern to intercept supported commands:
pkgd pip install requests
pkgd npm install express
pkgd brew install tree
# ...and so on
CI/CD Usage
pkg-defender is also designed for use in automated pipelines with
non-interactive CI mode:
# Use --ci flag to skip all prompts
pkgd --ci pip install axios
# Or set the environment variable
export PKGD_CI=1
pkgd pip install axios
In CI pipelines:
# Quick audit with snapshots (faster)
pkgd db snapshot --download
pkgd audit --fail-on-threat -o json
# Or sync for most current data
pkgd intel sync
pkgd audit --fail-on-threat --output json
Environment setup:
| Variable | Description |
|---|---|
PKGD_CI=1 |
Enable non-interactive mode |
PKGD_GITHUB_TOKEN |
GHSA API token (higher rate limits); alternatively set feeds.ghsa_token in pkgd.toml |
PKGD_FEEDS_SOCKET_API_KEY |
Socket.dev API key (legacy: PKGD_TWITTER_API_KEY) |
GitHub Actions CI Integration Example Flow
┌─────────────────────────────────────────────────────────────────┐
│ Example CI Pipeline │
├─────────────────────────────────────────────────────────────────┤
│ │
│ divisionseven/pkg-defender-action@v1 │
│ │ │
│ ├──▶ Check Cache (GitHub Actions) │
│ │ │ │
│ │ ├──▶ HIT: Use cached DB (<6 hours old) │
│ │ │ │
│ │ └──▶ MISS: Download fresh snapshot │
│ │ │ │
│ │ └──▶ SHA256 Verify │
│ │ │ │
│ │ ├──▶ FAIL: Rebuild │
│ │ │ │
│ │ └──▶ SUCCESS: Use DB │
│ │ │
│ ├──▶ Run pkgd audit │
│ │ │ │
│ │ └──▶ Find vulnerabilities? │
│ │ │ │
│ │ ├──▶ YES: Create PR annotations │
│ │ │ │ │
│ │ │ └──▶ Exit 4 (fail-on) │
│ │ │ │
│ │ └──▶ NO: Exit 0 (pass) │
│ │ │
│ └──▶ Done │
│ │
└─────────────────────────────────────────────────────────────────┘
│ ▲
│ GitHub Snapshot Releases │
│ ┌───────────────────────────────┐ │
└─────▶│ threats-latest.db.gz │──────┘
│ threats-latest.db.gz.sha256 │
└───────────────────────────────┘
▲
Published │
Every 6 Hours │
(GitHub Actions) │
│
┌───────────────┴──────────────┐
│ │
│ build_snapshot.py │
│ │ │
│ ┌────────┼────────┐ │
│ │ │ │ │
│ OSV GHSA OSSF │
│ │
│ (Tier 1 Feeds Only) │
│ │
├──────────────────────────────┤
│ PKG-Defender GitHub │
└──────────────────────────────┘
How It Works
- Intercept — Command wrappers (
pkgd pip install,pkgd npm install) wrap package manager commands across 18 package managers in 10 ecosystems. - Check —
check_package()queries the local SQLite threat database (zero network I/O). - Inform — social intelligence feeds add community-sourced early warnings (never blocks).
- Cooldown — Package age is checked against the configured window (default: 7 days).
- Decide — Threats scoring ≥ 0.3 are blocked; social feed findings are informational only.
- Sync — Background daemon periodically refreshes threat intelligence from 9 feeds.
Threat Intelligence
pkg-defender syncs from 9 feeds: 6 structured (OSV.dev, GHSA, npm advisory,
OSSF Malicious Package List, RSS, Homebrew) and 3 social (Mastodon, Reddit,
X/Twitter). Socket.dev is also available as a point-query source (not bulk
sync). Structured feeds can block installs; social feeds are informational only.
Feeds sync on configurable intervals with staleness detection.
Auditing
Scan 7 lock file formats for known threats and cooldown-pending packages. Output
in rich terminal, JSON, or CSV. Use --fail-on-threat for CI/CD pipeline gating
(exits 4 on CRITICAL/HIGH only).
Tab Completion
Automatic tab completion for pkgd commands in bash, zsh, and fish. Generated
via pkgd completion generate.
[!Note] PowerShell and Nushell are accepted as CLI arguments for consistency with other shell commands, but Click's built-in completion only supports bash, zsh, and fish natively. Custom completion scripts for PowerShell/Nushell will be added in a future release if demand is proven.
# Bash (one of):
pkgd completion generate bash > /etc/bash_completion.d/pkgd # system-wide
pkgd completion generate bash > ~/.local/share/bash-completion/completions/pkgd # user
# Zsh
pkgd completion generate zsh > ~/.zsh/completions/_pkgd
# Fish
pkgd completion generate fish | source
Restart your shell after installation to enable completion.
Configuration
Config Loading Order
Configuration is loaded in this order (later sources override earlier):
- Built-In Defaults
- System Config (
/etc/pkgd/pkgd.toml) — loaded first, can be overridden - User Config (
~/.config/pkg-defender/pkgd.toml, platform equivalent) — overrides system - Project Config (
./pkgd.tomlor nearest parent) — highest file priority PKGD_CONFIG_PATHenvironment variable — only consulted ifconfig_path paramisNonePKGD_*environment variable overrides — highest priority, always applied
Config TOML File
Default global config file with all values — automatically generated during pkgd setup for
effortless customization. Generated at project-level with cd path/to/project && pkgd setup --init
[cooldown]
# Minimum age in days before a new package version is allowed.
# Default: 7
default_days = 7
# Whether cooldown checking is active. Set false to disable entirely.
# Default: True
enabled = true
# If True, audit exits non-zero when threats are found during cooldown enforcement.
# If False, audit exits zero even with threats (weakened security posture).
# Default: True
strict_mode = true
# If True, a reason must be provided when bypassing the cooldown.
# Default: True
bypass_require_reason = true
# Number of days to retain bypass audit log entries.
# Note: Displayed in config listings only — no auto-prune enforcement code.
# Default: 90
bypass_log_retention_days = 90
[cooldown.overrides]
# Per-package cooldown days override (package name → days).
# Package names must be quoted to avoid TOML parsing errors.
# Examples:
# "react" = 14
# "@babel/core" = 21
# "some-package" = 7
[cooldown.per_ecosystem]
# Per-ecosystem cooldown window overrides (ecosystem → days).
# Examples:
# npm = 7
# pypi = 14
# …continued
Full configuration reference →
Command Reference
| Base Command Group | Description |
|---|---|
pkgd audit |
Scan lock files for threats and cooldown-pending packages |
pkgd status |
Show recent threats, bypasses, and feed state |
pkgd bypass |
Create bypass for a blocked package |
pkgd health |
Check system health |
pkgd reset |
Reset all data (database, config, feeds) |
pkgd setup |
Interactive first-run setup wizard |
pkgd audit-logs |
Query and manage audit event logs |
pkgd logs |
View and manage pkg-defender logs |
pkgd completion |
Generate shell completion scripts |
pkgd hooks |
Generate shell functions for wrapped manager commands |
pkgd intel sync |
Sync all threat intelligence feeds |
pkgd intel search |
Search local threat database |
pkgd intel report |
Threat intelligence dashboard |
pkgd config view |
Display current configuration |
pkgd config list |
List all configuration values with sources |
pkgd config set |
Set a config value (dot notation) |
pkgd config set-secret |
Set a secret configuration value with hidden input |
pkgd config get |
Get a specific configuration value |
pkgd config reset |
Reset to defaults |
pkgd config options |
List all configurable options with descriptions |
pkgd daemon |
Background daemon for periodic sync |
pkgd db snapshot |
Download/verify database snapshots |
pkgd db verify |
Verify local database integrity and report summary |
Global Flags
These flags apply to every pkgd command:
| Flag(s) | Description |
|---|---|
--version, -V |
Show version information |
--help |
Show help message and exit |
--config, -c |
Path to configuration file (default: platform-dependent) |
--quiet, -q |
Suppress all non-error output |
--verbose, -v |
Increase verbosity (-v=INFO, -vv=DEBUG) |
--no-verbose |
Disable verbose output (overrides PKGD_OUTPUT_VERBOSE) |
--debug, -d |
Show full tracebacks for unexpected errors |
--no-color |
Disable colored terminal output |
--ascii |
Force ASCII-only output (useful on Windows or CI) |
--yes, -y |
Auto-confirm all prompts |
--force, -f |
Force operations (skip confirmations, overwrite files) |
--dry-run, -n |
Show what would happen without making changes |
--ci, --non-interactive |
Run in non-interactive CI/CD mode (reads PKGD_CI) |
--explain |
Show detailed explanation of why packages were blocked |
--json |
Output results as JSON |
Command-Specific Flags
| Command | Flag(s) | Description |
|---|---|---|
pkgd audit |
--deep, -d |
Perform deep scan (include cooldown status checks) |
pkgd audit |
--fail-on-threat, -f |
Exit with code 4 if CRITICAL or HIGH threats detected (CI/CD) |
pkgd audit |
--since |
Only flag threats seen within duration (e.g., 7d, 24h) |
pkgd audit |
--output, -o |
Output format: rich, json, csv (default: rich) |
pkgd status |
--feeds |
Show per-feed health status |
pkgd health |
--output, -o |
Output format: rich, json (default: rich) |
pkgd setup |
--init, -i |
Create pkgd.toml with defaults |
pkgd setup |
--shell, -s |
Override auto-detected shell |
pkgd bypass |
--manager, -m |
Package manager (default: npm) |
pkgd bypass |
--reason |
Reason for bypass (required) |
pkgd bypass |
--expires |
Bypass expiry duration (e.g., 24h, 7d, 30m) |
pkgd intel sync |
--exclude-feed |
Exclude a specific feed (repeatable) |
pkgd logs view |
--lines, -n |
Number of lines to show (default: 100) |
pkgd db snapshot |
--download, -d |
Download latest threat intelligence snapshot |
pkgd db snapshot |
--verify, -v |
Verify local database integrity |
pkgd reset |
--teardown, -t |
Full teardown (remove database and config) |
pkgd audit-logs query |
--ecosystem |
Filter audit log entries by ecosystem |
pkgd audit-logs query |
--verdict |
Filter by verdict (PASS, PARTIAL_PASS, FAIL, BLOCKED, WARN, ERROR) |
Environment Variables
| Variable | Affects | Description |
|---|---|---|
PKGD_DRY_RUN |
--dry-run default |
When set to 1, enables dry-run mode by default |
PKGD_OUTPUT_VERBOSE |
--no-verbose |
Override verbose output at the environment level |
PKGD_CI |
--ci mode |
When set to 1, forces CI mode (non-interactive) |
PKGD_CONFIG_PATH |
Config loading | Path to configuration file (alternative to --config) |
Supported Ecosystems
Ecosystem Coverage Tier Key:
The ecosystem's package publication timestamp source/availability (for use in cooldown calculation) determines the tier assignment:
FULL: Threat check runs, cooldown check runs, verified publish timestamps availablePARTIAL: Threat check runs, cooldown check runs, proxied publish timestamps availableAUDIT: Threat check runs, cooldown check is SKIPPED (no reliable registry publish timestamp source available)
FULLandPARTIALare functionally identical in terms of what checks run. The difference is in the quality of the timestamp source:
FULLmeans the timestamps are cryptographically verified/authoritative (PyPI native API, npm registry, etc.)PARTIALmeans they're proxied/approximate but still usable for cooldown (GitHub Releases/Tags API, Libraries.io, etc.)
| Ecosystem | Manager | Registry Adapter | Coverage Tier | Lock File | Wrapper |
|---|---|---|---|---|---|
| npm | npm, yarn, pnpm, bun | Yes | FULL / PARTIAL |
package-lock.json, yarn.lock, pnpm-lock.yaml | Yes |
| PyPI | pip, pipx, poetry, pipenv, uv | Yes | FULL / PARTIAL |
requirements.txt, poetry.lock, Pipfile.lock, uv.lock | Yes |
| Cargo | cargo | Yes | FULL |
— | Yes |
| RubyGems | gem, bundler | Yes | FULL / PARTIAL |
— | Yes |
| Packagist | composer | Yes | FULL |
— | Yes |
| Homebrew | brew | Yes | PARTIAL |
— | Yes |
| APT | apt | Yes | AUDIT |
— | Yes |
| Yum | yum | Yes | AUDIT |
— | Yes |
| DNF | dnf | Yes | AUDIT |
— | Yes |
| Conda | conda | Yes | FULL |
— | Yes |
Dependencies
[!NOTE] Each dependency below includes a pre-crafted audit link: a Google-dorking search query scoped to supply chain attacks, compromises, and security advisories for that package, filtered to the past year.
This is intentional. PKG-Defender exists because developers install packages on trust alone; we think that habit should stop, including with tools like ours. Before installing PKG-Defender in a sensitive environment, we encourage you to click through and do a 30-second check on each of our dependencies. That's exactly the kind of scrutiny this project was built to promote.
| PyPI Link | Purpose | Audit Link |
|---|---|---|
| aiohttp | Async HTTP for feed sync and registry lookups | AUDIT ME → |
| click | CLI framework | AUDIT ME → |
| defusedxml | Safe XML parsing for RPM repodata | AUDIT ME → |
| feedparser | Atom/RSS feed parsing | AUDIT ME → |
| packaging | Python version spec parsing | AUDIT ME → |
| platformdirs | Platform-appropriate config/data directories | AUDIT ME → |
| pyyaml | YAML parsing for pnpm-lock.yaml lock files | AUDIT ME → |
| rich | Terminal output formatting | AUDIT ME → |
| tomlkit | TOML config file read/write (setup wizard) | AUDIT ME → |
| zstandard | Zstandard decompression for RPM repodata | AUDIT ME → |
Contributing
Makefile
For common development tasks, you can use the Makefile:
| Command | Description |
|---|---|
make install |
Install all dependencies |
make lint |
Check code style |
make typecheck |
Type checking |
make test |
Run tests |
make check |
Run lint, typecheck, and tests |
make build |
Build the package |
make clean |
Clean build artifacts |
Direct
Use uv directly:
uv run pytest
uv build
# continued...
Support & Community
PKG-Defender Sponsors
[!Note] PKG-Defender is free and open-source software, built and maintained independently. If the tool provides value to your workflow or organization, consider supporting its continued development, and starring the project so that others can find it.
Your support helps fund ongoing maintenance, feature development, and infrastructure costs — keeping the project available to everyone at no cost. Thank you.
Join the Conversation
Security
[!Important] While PKG-Defender aims to provide practical defense against supply chain threats, no tool can ever guarantee complete protection. Threats may evolve faster than intelligence feeds, and sophisticated attacks may evade public detection. This tool is intended to be used as one layer of a broader security strategy — not as a silver bullet.
PKG-Defender is in active development and we strive to continually evolve in response to the modern threat landscape.
See SECURITY.md →
See DISCLAIMER.md →
Security Model Limitations (v1)
PKG-Defender is a practical defense layer, not a guarantee. Understanding its architectural boundaries helps you calibrate expectations and deploy it where it adds the most value for you and your organization.
Shell Functions Protect Interactive CLI Use Only
PKG-Defender protects interactive pip install, npm install, and similar CLI
commands by wrapping package manager invocations via shell functions, or via direct
invocation. If you do not directly wrap manager commands in non-interactive
environments (pkgd [OPTIONS] MANAGER SUBCOMMAND [PACKAGE...] [MANAGER_OPTIONS...]),
your configured shell functions will not protect:
- Dockerfiles / container builds —
RUN pip installinside a Dockerfile does not pass through pkgd shell functions. - CI/CD scripts — Unless explicitly configured to use
pkgd <manager>instead of the bare manager command. - Automated / headless installs — Scripts, Makefiles, or system package operations that call the package manager directly.
After clearing a command, os.execvp() replaces the pkgd process with the real
package manager, leaving zero runtime overhead.
No Transitive Dependency Resolution
pkgd audit currently inspects top-level packages only. Transitive dependency
scanning is planned for a future release.
Post-Execution Audit Gap
PKG-Defender records its pre-install assessment in the audit log — the verdict,
config state, and threat analysis at decision time. However, because
os.execvp() replaces the process, pkgd cannot verify whether the install
actually succeeded or whether the package manager encountered an error. To
confirm outcomes, cross-reference pkgd's audit log (pkgd audit-logs) with your
package manager's actual installed state.
AUDIT-Tier Managers Have No Cooldown Protection
Package managers on the AUDIT coverage tier (apt, yum, dnf) receive
threat-detection-only protection — the threat database IS queried, but cooldown
verification is skipped (these ecosystems lack reliable publish timestamps).
Scoring Threshold Is a Tunable Heuristic
The block threshold (0.3 in checker.py) is a starting value chosen through
reasoned defaults, not empirical validation against real-world attack data. It
may produce false positives (blocking legitimate packages) or false negatives
(allowing malicious packages whose threat signals don't reach the threshold).
Users deploying in sensitive environments should test and adjust this value.
Pre-Existing Attacks
PKG-Defender cannot protect against attacks that are already in motion at install time. The tool assesses threat signals from intelligence feeds, not runtime behavior.
Signal-Based Cooldown
The v1 release provides signal-based cooldown escalation where threat severity
can dynamically extend cooldown windows. Verified advisories trigger an
immediate block, and Tier 3 social signals extend the cooldown window. However,
users cannot configure per-signal thresholds or escalation policies directly;
the behavior is hard-coded in the step_check_cooldown() pipeline.
License
PKG-Defender is distributed under Apache-2.0 →
Acknowledgements
PKG-Defender would not be possible without the following external projects, services, data sources, libraries, and tools. Thank you for your contributions.
Threat Intelligence Data Sources
- OSV.dev — Open Source Vulnerability database (Google)
- GitHub Security Advisories — GHSA database
- Socket.dev — Supply chain security signals
- OpenSSF Malicious Packages — OpenSSF malicious package database
Package Registries
- npm — npm registry (npm, Inc.)
- PyPI — Python Package Index (Python Software Foundation)
- RubyGems — Ruby gem server
- crates.io — Rust package registry
- Packagist — PHP/Composer package repository
- Homebrew — macOS/Linux package manager (formulae.brew.sh)
- Anaconda — Python/R data science distribution (Anaconda Inc.)
- conda-forge — Community-led conda package channel
Timestamp Resolution Services
- libraries.io — Package metadata and release timestamps
- Fedora Koji — Fedora build system hub
- Fedora Bodhi — Fedora updates system
- Ubuntu Archive — Ubuntu package archive
- Debian Snapshot Archive — Debian snapshot archive
Social & Community Data Sources
- Mastodon / infosec.exchange — Decentralized social platform
- Reddit / PullPush.io — Reddit comment and submission archive
- X/Twitter API v2 — Social media platform (opt-in, BYOK)
Security Blog RSS Feeds
Security intelligence aggregated from blog RSS feeds:
- Socket.dev blog, Snyk blog, OpenSSF blog, GitHub Security blog, GitGuardian blog, Sonatype blog
Runtime Dependencies
PKG-Defender's runtime dependencies are listed in the Dependencies table above with full transparency audit links.
- aiohttp — Async HTTP for feed sync and registry lookups
- click — CLI framework
- defusedxml — Safe XML parsing for RPM repodata
- feedparser — Atom/RSS feed parsing
- packaging — Python version spec parsing
- platformdirs — Platform-appropriate config/data directories
- PyYAML — YAML parsing for pnpm-lock.yaml lock files
- rich — Terminal output formatting
- tomlkit — TOML config file read/write (setup wizard)
- zstandard — Zstandard decompression for RPM repodata
Development & Build Tools
- Hatchling — Python build backend
- pytest — Testing framework
- ruff — Python linter and formatter (Astral)
- mypy — Static type checker
- pre-commit — Git hook framework
- PyInstaller — Standalone binary packaging
- aioresponses — Async HTTP test mocking
CI/CD & Infrastructure
- GitHub Actions — CI/CD and snapshot automation
- Codecov — Code coverage reporting
- shields.io — Badge generation service
- Trivy — Container image vulnerability scanner (Aqua Security)
- Docker — Container runtime and image distribution
Community Standards
- Contributor Covenant — Code of conduct
- Conventional Commits — Commit message standard
- no-color.org — NO_COLOR standard
ASCII Art & Branding
- artty — ASCII art generation for the PKG-Defender logo banner (used offline in development for asset generation)
Last updated: 2026-07-03
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file pkg_defender-1.0.1.tar.gz.
File metadata
- Download URL: pkg_defender-1.0.1.tar.gz
- Upload date:
- Size: 2.0 MB
- Tags: Source
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9caf9ad21405f3e9d17e66d928636d8366df3721876ca1125b4474b8b55b3d75
|
|
| MD5 |
c5fa09e333ddd3cc934efdc445f4c14a
|
|
| BLAKE2b-256 |
71d56e2c204a89197bfe43554838d802eecb8516bda47c8aa759f5f23c8be763
|
Provenance
The following attestation bundles were made for pkg_defender-1.0.1.tar.gz:
Publisher:
release.yml on divisionseven/pkg-defender
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pkg_defender-1.0.1.tar.gz -
Subject digest:
9caf9ad21405f3e9d17e66d928636d8366df3721876ca1125b4474b8b55b3d75 - Sigstore transparency entry: 2066252596
- Sigstore integration time:
-
Permalink:
divisionseven/pkg-defender@f52b8851f19f1652e2eb9e83b9a2d12ca59832d0 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/divisionseven
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@f52b8851f19f1652e2eb9e83b9a2d12ca59832d0 -
Trigger Event:
push
-
Statement type:
File details
Details for the file pkg_defender-1.0.1-py3-none-any.whl.
File metadata
- Download URL: pkg_defender-1.0.1-py3-none-any.whl
- Upload date:
- Size: 395.7 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? Yes
- Uploaded via: twine/6.1.0 CPython/3.13.13
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9023a6a164eee9e3ec0b88c3e4ba10798e8ab1a5b8143bb724c7fd4c0ea9a2d2
|
|
| MD5 |
ebf74120fd846aa0af9314b7b6b513da
|
|
| BLAKE2b-256 |
a6f2bb639d627c6b41b98b27ef6c27a25bbcc384b20f4a8e517bce02af9f382f
|
Provenance
The following attestation bundles were made for pkg_defender-1.0.1-py3-none-any.whl:
Publisher:
release.yml on divisionseven/pkg-defender
-
Statement:
-
Statement type:
https://in-toto.io/Statement/v1 -
Predicate type:
https://docs.pypi.org/attestations/publish/v1 -
Subject name:
pkg_defender-1.0.1-py3-none-any.whl -
Subject digest:
9023a6a164eee9e3ec0b88c3e4ba10798e8ab1a5b8143bb724c7fd4c0ea9a2d2 - Sigstore transparency entry: 2066252654
- Sigstore integration time:
-
Permalink:
divisionseven/pkg-defender@f52b8851f19f1652e2eb9e83b9a2d12ca59832d0 -
Branch / Tag:
refs/tags/v1.0.1 - Owner: https://github.com/divisionseven
-
Access:
public
-
Token Issuer:
https://token.actions.githubusercontent.com -
Runner Environment:
github-hosted -
Publication workflow:
release.yml@f52b8851f19f1652e2eb9e83b9a2d12ca59832d0 -
Trigger Event:
push
-
Statement type: