Supply chain security platform with behavioral analysis and provenance verification

Navigation

Verified details

These details have been verified by PyPI
Maintainers
Avatar for icarusprotection from gravatar.com icarusprotection

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Icarus Protection
  • Tags security , supply-chain , dependencies , vulnerability , provenance
  • Requires: Python >=3.10
  • Provides-Extra: behavioral , dev
Classifiers
Report project as malware

Project description

ProvChain

CI Security

ProvChain is an open-source Python supply chain security platform created by Icarus Protection that provides behavioral analysis, provenance verification, and continuous monitoring of software dependencies. Unlike existing tools that focus solely on known CVEs, ProvChain answers the harder question: "Should I trust this package at all?"

Core Value Proposition

Trust verification across the entire dependency lifecycle before install, during build, and continuously after deployment.

Features

  • Pre-Install Analysis (Interrogator): Behavioral analysis, typosquatting detection, maintainer trust signals, metadata quality checks, vulnerability detection, and supply chain attack detection
  • Provenance Verification (Verifier): Hash verification, Sigstore signatures, GPG signatures, and reproducible build checking
  • Continuous Monitoring (Watchdog): Maintainer change detection, repository monitoring, release analysis, and CVE alerts
  • Advanced Vulnerability Detection: OSV.dev integration, CVSS v3.1 scoring, vulnerability prioritization, and patch availability detection
  • Supply Chain Attack Detection: Account takeover detection, dependency confusion detection, malicious update detection, and historical attack pattern analysis

Installation

pip install provchain

For behavioral analysis support (requires Docker):

pip install "provchain[behavioral]"

Quick Start

Check Version

# Check installed version
provchain --version
# or
provchain -v

Basic Vetting

# Vet a single package
provchain vet requests

# Vet a specific version
provchain vet requests==2.31.0

# Vet all dependencies from requirements.txt
provchain vet -r requirements.txt

# Deep analysis (includes behavioral sandbox)
provchain vet --deep flask

Verification

# Verify a local artifact
provchain verify ./dist/mypackage.whl

# Verify an installed package
provchain verify requests==2.31.0

SBOM Management

# Generate SBOM from current environment
provchain sbom generate

# Generate from requirements.txt
provchain sbom generate -r requirements.txt -o sbom.json

# Import existing SBOM
provchain sbom import sbom.json

Vulnerability Detection

# Scan requirements file for vulnerabilities
provchain vuln scan -r requirements.txt

# Check specific package for vulnerabilities
provchain vuln check requests==2.31.0

# Prioritize by severity (critical/high/medium/low)
provchain vuln prioritize -r requirements.txt --severity critical

# Output in JSON format
provchain vuln scan -r requirements.txt --format json

Supply Chain Attack Detection

# Detect attacks for a package
provchain attack detect requests

# Show detailed attack information
provchain attack detect requests --detailed

# View attack history for a package
provchain attack history requests

# View attack history with custom limit
provchain attack history requests --limit 20

Continuous Monitoring

# Start monitoring an SBOM
provchain watch --sbom sbom.json

# Run as background daemon
provchain watch --daemon

# Check monitoring status
provchain watch status

Output Formats

ProvChain supports multiple output formats for CI/CD integration:

# JSON output
provchain vet requests --format json

# SARIF for GitHub Actions
provchain vet requests --format sarif

# Markdown report
provchain vet requests --format markdown

CI/CD Integration

ProvChain is designed for CI/CD pipelines with exit codes and structured output:

# Exit with non-zero code if risk exceeds threshold
provchain vet -r requirements.txt --ci

# Custom threshold
provchain vet --ci --threshold medium

Configuration

Initialize Configuration

# Create default configuration file
provchain config init

Set Configuration Values

# Set a string value
provchain config set general.threshold high

# Set a list value (JSON array format)
provchain config set general.analyzers '["typosquat", "maintainer"]'

# Set a boolean value
provchain config set behavior.enabled true

# Set an integer value
provchain config set general.cache_ttl 48

View Configuration

# Show current configuration
provchain config show

# Validate configuration
provchain config validate

Configuration File

The configuration file is located at ~/.provchain/config.toml:

[general]
threshold = "medium"
analyzers = ["typosquat", "maintainer", "metadata", "install_hooks", "behavior"]
cache_ttl = 24

[behavior]
enabled = true
timeout = 60
network_policy = "monitor"

[watchdog]
check_interval = 60

[output]
format = "table"
verbosity = "normal"
color = true

Requirements

  • Python 3.10+
  • 512MB RAM (minimum)
  • 100MB disk space
  • Docker (optional, for behavioral analysis)

Design Principles

  • Offline-First: Core functionality works without network; cloud features are additive
  • Zero Config Start: pip install provchain && provchain vet flask works immediately
  • Privacy by Default: No telemetry without opt-in; local analysis preferred
  • Extensible: Plugin system for custom analyzers, reporters, and integrations
  • CI/CD Native: Exit codes, JSON output, and SARIF support for automation

License

Apache 2.0

Contributing

Contributions are welcome! Please see our contributing guidelines for more information.

Documentation

For detailed documentation, see:

Links

Project details

Verified details

These details have been verified by PyPI
Maintainers
Avatar for icarusprotection from gravatar.com icarusprotection

Unverified details

These details have not been verified by PyPI
Project links
Meta
  • License: Apache Software License (Apache-2.0)
  • Author: Icarus Protection
  • Tags security , supply-chain , dependencies , vulnerability , provenance
  • Requires: Python >=3.10
  • Provides-Extra: behavioral , dev
Classifiers

Release history Release notifications | RSS feed

This version

1.3.1

1.3.0

1.2.0

1.1.3

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

provchain-1.3.1.tar.gz (103.5 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

provchain-1.3.1-py3-none-any.whl (128.4 kB view details)

Uploaded Python 3

File details

Details for the file provchain-1.3.1.tar.gz.

File metadata

  • Download URL: provchain-1.3.1.tar.gz
  • Upload date:
  • Size: 103.5 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for provchain-1.3.1.tar.gz
Algorithm Hash digest
SHA256 e0305592ce71789e7784b486d42833a6e1905818ffb774cb9fed322f292749c7
MD5 c40e055efca47c95c615c12e350454d9
BLAKE2b-256 c794d2f70cea78da93010fffb5b085f43320c69979194026e8ff798f4b234b2d

See more details on using hashes here.

File details

Details for the file provchain-1.3.1-py3-none-any.whl.

File metadata

  • Download URL: provchain-1.3.1-py3-none-any.whl
  • Upload date:
  • Size: 128.4 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for provchain-1.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 d75dfaf5c23d509c5e1082bc756f45b311ef0c58e4debe8510ae38b5f0c7eb3f
MD5 2f4d1ac2f208d20d804670f9618b719c
BLAKE2b-256 49da142ace6c26ec5939745a9256e6426016ce18c4310a07516994e744436177

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page