Skip to main content

Open-source package firewall proxy for npm and PyPI registries

Project description

pkggate — Open-Source Package Firewall for npm & PyPI

Block malicious packages before they reach node_modules or site-packages. A lightweight, self-hosted supply-chain firewall for small and mid-sized teams — free, open-source, and built on public threat intelligence (OSV.dev).

License: MIT Status: Early Preview Contributions Welcome

⭐ If pkggate helps you, please consider starring the repo to support the project!

Keywords: package firewall, supply chain security, npm proxy, pypi proxy, malicious package blocker, OSV mirror, dependency security, software supply chain, self-hosted security, open-source security tooling.

pkggate demo


Why pkggate?

Software supply-chain attacks against npm and PyPI keep growing — typosquats, account takeovers, and malicious post-install scripts are now everyday threats. Commercial package firewalls exist, but their pricing often locks out small teams, indie developers, and OSS maintainers.

pkggate is a free, self-hosted alternative designed for organizations that need supply-chain protection without enterprise contracts:

  • Zero cost, full control — runs in your own infrastructure, no vendor lock-in.
  • Drop-in proxy — point npm and pip at pkggate; everything else stays the same.
  • Offline-capable threat intel — local OSV mirror means lookups don't leak which packages you install.
  • Policy-driven — block by advisory, package age, missing repository links, lifecycle scripts, or explicit allow/deny lists.
  • Auditable — every decision lands in a JSON Lines audit log.

Inspired by:

Layered supply-chain defence

pkggate pairs naturally with unravel-sbom, a companion open-source CLI that scans your project and generates SBOMs in SPDX 2.3 and CycloneDX 1.6 format, with direct upload to Dependency-Track.

Layer Tool When
Block bad packages at install time pkggate Developer workstation & CI install step
Inventory what made it in unravel-sbom After npm install / pip install in CI
Monitor for newly-disclosed CVEs Dependency-Track (via unravel-sbom) Continuously

Run them together in CI for defence-in-depth: pkggate blocks known-malicious packages before they enter node_modules; unravel-sbom then captures a signed SBOM of everything that did install and uploads it for continuous vulnerability monitoring.

unravel-sbom demo

⭐ If unravel-sbom helps you, please consider starring that repo too!


How it works

pkggate acts as a registry to your package manager. Every request is checked against a threat-intel source (OSV.dev) and a policy engine. Hits are blocked with HTTP 403 and recorded in the audit log.

+---------+       +--------+        +---------------------+
|  npm /  | --->  | pkggate  |  --->  |  npm / PyPI         |
|  pip    |       |        |        |  upstream registry  |
+---------+       |   +----v----+   +---------------------+
                  |   | OSV API |
                  |   +---------+
                  |   +---------+
                  |   | Policy  |
                  +---+---------+

Two checkpoints (npm):

  1. Metadata response (GET /<pkg>) — versions with a MAL-* advisory are stripped from the versions map so the client never tries to resolve them.
  2. Tarball request (GET /<pkg>/-/<pkg>-<ver>.tgz) — final check before the file is delivered.

Quick start

Run with Docker

Pull the published image from GitHub Container Registry:

docker pull ghcr.io/daneb255/pkggate:latest

Or start everything with Compose (builds locally if no image is present):

docker compose up

Point npm at pkggate

echo "registry=http://localhost:8080/" > ~/.npmrc

# Clear the cache once, otherwise npm bypasses the proxy
npm cache clean --force

npm install express

Point pip at pkggate

pip config set global.index-url http://localhost:8080/simple/
pip install requests

That's it — installs now flow through pkggate and malicious versions are blocked transparently.

Use in CI/CD (GitHub Actions)

Run pkggate as a service container so your install steps are protected in CI, then generate an SBOM with unravel-sbom for continuous monitoring:

services:
  pkggate:
    image: ghcr.io/daneb255/pkggate:latest
    ports:
      - 8080:8080

steps:
  - uses: actions/checkout@v4

  - name: Install dependencies via pkggate
    env:
      npm_config_registry: http://localhost:8080/
    run: npm ci

  - name: Generate and upload SBOM
    env:
      DTRACK_URL: ${{ secrets.DTRACK_URL }}
      DTRACK_API_KEY: ${{ secrets.DTRACK_API_KEY }}
    run: |
      pip install unravel-sbom
      unravel-sbom scan . -f cyclonedx \
        --dtrack-project "${{ github.repository }}" \
        --dtrack-version "${{ github.ref_name }}" \
        --dtrack-wait

Threat intelligence

By default pkggate runs a local OSV mirror for both supported ecosystems (npm and PyPI). At startup it downloads each ecosystem's OSV bundle from storage.googleapis.com/osv-vulnerabilities/<eco>/all.zip, extracts every MAL-* advisory, and indexes them in a local SQLite database partitioned by ecosystem. A background task refreshes each bundle hourly; if one bundle fails the others stay fresh.

Per-version lookups during npm install / pip install hit the local DB — zero outbound calls on the hot path, which keeps installs fast and your dependency graph private.

To also catch advisories published since the last refresh, enable PKGGATE_LIVE_FALLBACK_ENABLED=true. The live API is then queried only for versions the mirror considers clean, via the OSV /v1/query endpoint.

Configuration

Variable Default Purpose
PKGGATE_MIRROR_ENABLED true Enable local OSV mirror
PKGGATE_MIRROR_DB mirror.db SQLite path
PKGGATE_MIRROR_REFRESH_SECONDS 3600 Refresh interval
PKGGATE_LIVE_FALLBACK_ENABLED false Query OSV API for clean versions
PKGGATE_OSV_BUNDLE_NPM public GCS URL Override npm bundle source
PKGGATE_OSV_BUNDLE_PYPI public GCS URL Override PyPI bundle source
PKGGATE_OSV_API https://api.osv.dev/v1/query Live fallback endpoint

Policy engine

Policies live in config/policy.yaml. Example rules:

  • block_malicious — hard-block OSV MAL-* advisories.
  • max_cvss_score — block packages whose highest known CVSS base score meets or exceeds a threshold (e.g. 9.0 for critical, 7.0 for high and above). Scores are parsed from OSV advisory data using CVSS v2/v3 vectors. Disabled by default (null).
  • min_package_age_days — block packages younger than N days (typo-squat mitigation).
  • require_repository_url — block packages without a repository link.
  • deny_lifecycle_scripts — block packages that ship lifecycle scripts (preinstall, postinstall, etc.).
  • allowlist / denylist — explicit overrides by name or name@version.

Tune these to match your organization's risk appetite — small teams typically start with block_malicious + min_package_age_days: 7. For stricter environments, add max_cvss_score: 9.0 to also block packages with known critical CVEs.

pkggate CVSS block demo


Audit log

Every decision is appended to ./audit.log as JSON Lines, ready for ingestion by any SIEM, log shipper, or jq pipeline:

{"ts":"2026-04-20T10:12:03Z","action":"block","package":"passports-js","version":"0.0.1-security","rule":"block_malicious","source":"MAL-2024-88"}

Block decisions are also emitted to the container log (docker logs) in real time:

pkggate container log block


PyPI support

pkggate implements the PEP 691 Simple Repository JSON API as a two-gate proxy:

  1. Simple index gate (GET /simple/<project>/) — fetches the upstream index, runs intel + policy per version, drops denied files, rewrites surviving file URLs through the proxy, and caches SHA-256 hashes for the second gate.
  2. File gate (GET /packages/<path>) — re-evaluates policy (last stop before bytes leave), verifies the SHA-256 hash against the simple-index claim, and serves the file. Lockfile-driven installs that skip the index trigger a one-shot prefetch to populate the hash cache.

Configure pip to use pkggate:

# pip.conf
[global]
index-url = http://127.0.0.1:8080/simple/
Variable Default Description
PKGGATE_PYPI_ENABLED true Enable the PyPI proxy
PKGGATE_PYPI_UPSTREAM_SIMPLE https://pypi.org/simple/ Upstream simple index
PKGGATE_PYPI_UPSTREAM_FILES https://files.pythonhosted.org/ Upstream file server
PKGGATE_PYPI_PUBLIC_BASE_URL http://127.0.0.1:8080 Public URL of this proxy (used for URL rewriting)
PKGGATE_PYPI_VERIFY_INTEGRITY true Verify SHA-256 hash against simple-index claim
PKGGATE_PYPI_MAX_BUFFER_BYTES 209715200 Maximum file size buffered for verification (200 MiB)

Project status

pkggate is an early-stage prototype. It works end-to-end for npm and PyPI, but APIs, configuration keys, and on-disk formats may still change without notice. Production use is at your own risk — please pin versions and review the audit log.

Roadmap highlights:

  • Hardening the policy engine and configuration schema.
  • Cargo and Maven adapters (plugin point already exists at src/pkggate/proxy/).
  • A small admin UI for the audit log.
  • Pre-built container images and a Helm chart.

Contributing

Contributions are explicitly welcome. This project is built for the community — small businesses, OSS maintainers, indie devs, and security teams who want supply-chain protection without an enterprise budget.

Helpful ways to contribute:

  • Try it in your stack and open issues for anything that breaks or surprises you.
  • Add ecosystem adapters (Cargo, Maven, RubyGems, Go modules).
  • Improve the policy engine — new rules, better defaults, clearer error messages.
  • Documentation, examples, translations — especially deployment guides for common environments (Kubernetes, Nomad, plain systemd).
  • Threat-intel integrations beyond OSV.dev.

To contribute:

  1. Fork the repository and create a feature branch.
  2. Follow conventional commits where possible.
  3. Open a pull request describing the change and the motivation.
  4. Be kind in reviews — see CODE_OF_CONDUCT.md.

If you're unsure where to start, open a discussion or an issue tagged question — we'll help you find a good first task.


Code of Conduct

Participation in this project is governed by the Contributor Covenant Code of Conduct. By participating, you agree to uphold its terms. Reports can be sent privately to the maintainer email listed in that document.


Security

Found a vulnerability in pkggate itself? Please do not file a public issue. Email the maintainer (see CODE_OF_CONDUCT.md) with details and we will respond as quickly as we can.

For malicious-package reports, file them upstream with OSV.dev or the OSSF Malicious Packages project so the whole ecosystem benefits.


License

MIT — use it, fork it, ship it.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

pkggate-0.1.7.tar.gz (49.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

pkggate-0.1.7-py3-none-any.whl (34.5 kB view details)

Uploaded Python 3

File details

Details for the file pkggate-0.1.7.tar.gz.

File metadata

  • Download URL: pkggate-0.1.7.tar.gz
  • Upload date:
  • Size: 49.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pkggate-0.1.7.tar.gz
Algorithm Hash digest
SHA256 49c4717f2273b080a96a228e111be7b652926028cf72828c4b5e711b9a2047e8
MD5 cf9015b321bab800348d663b88ff0bae
BLAKE2b-256 4831779de72b5f0e2ad691e2318be03dc7745dcb6434ee06987cbb773c3a5196

See more details on using hashes here.

Provenance

The following attestation bundles were made for pkggate-0.1.7.tar.gz:

Publisher: release.yml on daneb255/pkggate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file pkggate-0.1.7-py3-none-any.whl.

File metadata

  • Download URL: pkggate-0.1.7-py3-none-any.whl
  • Upload date:
  • Size: 34.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.12

File hashes

Hashes for pkggate-0.1.7-py3-none-any.whl
Algorithm Hash digest
SHA256 d06ce687156a6d3f6eda67da31cac4500bf3828720cf6bd7efe7f2397db4d959
MD5 fe145ee8c668560cf11463b992e5d0b3
BLAKE2b-256 3f4981dcd095664112655d37e17c1c169b2b0d82a60b366d975eac3d5b77cb9d

See more details on using hashes here.

Provenance

The following attestation bundles were made for pkggate-0.1.7-py3-none-any.whl:

Publisher: release.yml on daneb255/pkggate

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page