Protect your dependencies from supply chain attacks.
Project description
🛡️ SafeDep: Your Dependency Guardian
SafeDep is an open-source tool designed to protect developers from Supply Chain Attacks. It analyzes packages and dependencies for malicious behavior, data exfiltration, and hidden vulnerabilities before you even install them.
"Don't just scan for known vulnerabilities. Detect suspicious behavior."
✨ Why SafeDep?
The package ecosystem (PyPI, NPM, Cargo) is under constant attack from Typosquatting, Dependency Injection, and Trojan Horses. SafeDep goes beyond standard vulnerability databases (CVEs) by analyzing both the static and dynamic behavior of the code.
Key Features
- 🔍 Pre-install Sandbox: Runs installation scripts in an isolated environment to monitor what they attempt to access.
- 📡 Network Monitor: Alerts you if a "text processing" package tries to make requests to unknown IP addresses.
- 🔑 Secret Leak Detection: Identifies if a package attempts to read your environment variables (
.env) or API keys. - 🏷️ Typosquatting Protection: Checks if a package name is dangerously similar to a popular one.
🛠️ Getting Started
To use SafeDep locally, clone the repository and install it in editable mode:
# create a virtual environment
python3 -m venv venv
source venv/bin/activate
# Install dependencies
pip install -r requirements.txt
# Install SafeDep in editable mode (so code changes are reflected immediately)
pip install -e .
Sandbox Requirements
For behavioral analysis, Docker or Podman must be installed and running.
# Check if docker is available
docker --version
🚀 How to Use (CLI)
SafeDep provides several commands:
1. Check a package before installing
Analyzes a package (remote) for typosquatting and reputation risks.
Python (default):
safedep check <package_name>
Python Typosquatting Example:
# Detects similarity to 'requests'
safedep check requesst
NPM:
safedep check <package_name> --ecosystem npm
Cargo (Rust):
safedep check <package_name> --ecosystem cargo
2. Scan a local directory
Scans local files (Python, JS, TS, NPM, Cargo) for dangerous code patterns or suspicious dependencies (in requirements.txt, package.json, Cargo.toml).
SafeDep automatically excludes common dependency and internal directories like venv, node_modules, and .git to focus on your project's source code.
safedep scan <path_to_directory>
3. Behavioral Analysis (Sandbox)
Runs a package installation in a Docker container and monitors for suspicious system calls.
Python:
safedep check <package_name> --sandbox
NPM:
safedep check <package_name> --ecosystem npm --sandbox
Cargo:
safedep check <package_name> --ecosystem cargo --sandbox
🗺️ Development Roadmap
Phase 1: Foundation (MVP) - "The Scanner" ✅ (Implemented)
- ✅ Implementation of name similarity analysis (Anti-Typosquatting).
- ✅ Reputation verification (package creation date, author history).
- ✅ Static code scanner for dangerous functions.
Phase 2: Intelligence (Beta) - "The Behavioralist" 🧠 ✅ (Implemented)
- ✅ Sandboxing: Integration with Docker/Podman to run setup.py and monitor system calls (syscalls).
- ✅ Multi-language Support: Support for NPM (Node.js) and Cargo (Rust) in addition to Python.
- ✅ CI/CD Integration: GitHub Actions to block PRs with suspicious dependencies.
Phase 3: Community and Sustainability - "The Shield" 🛡️ [/] (In Progress)
- SafeDep Hub: A community-driven database of "audited and clean" packages.
- Security Badges: A system for repositories to display security trust seals.
- [/] Sponsorship Program: Launching the Sponsors program to maintain the heavy analysis infrastructure.
🛡️ The Shield: SafeDep Hub
The SafeDep Hub is a crowdsourced database of packages that have been manually audited by the community and verified as safe.
How it works:
- When you run
safedep check <package>, the tool queries the Hub. - If the package is found, you'll see the SafeDep Shield and a Markdown snippet to add a trust badge to your repo.
- Contributions are made via Pull Requests to the
hub/audited_packages.jsonfile.
Get your Security Badge
If your package is audited, display your trust seal:
[](https://github.com/marcioreck/safedep)
🤝 Contribute & Sponsor
SafeDep is a zerocost marketing open-source initiative. We rely on community audits to grow "The Shield".
How to Help
- Audit a Package: Submit a PR to the Hub.
- Give a ⭐: Help us reach more developers.
- Report Bugs: Help us improve the scanner.
- Become a Sponsor: Support the infrastructure for deep behavioral analysis.
Developed for those who prioritize security.
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file safedep-0.1.2.tar.gz.
File metadata
- Download URL: safedep-0.1.2.tar.gz
- Upload date:
- Size: 13.7 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
c675235891adb14c931051a1fdc81f475ac97e8a8f8c54893321f14c526ae9fd
|
|
| MD5 |
8895b83849712b3f25fe3081ec402eee
|
|
| BLAKE2b-256 |
89a0960520ce68ce26487dfe00f819cf62d31df6820d035051acba87b0626c42
|
File details
Details for the file safedep-0.1.2-py3-none-any.whl.
File metadata
- Download URL: safedep-0.1.2-py3-none-any.whl
- Upload date:
- Size: 15.4 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.1.0 CPython/3.13.7
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d137a32d6df5ff8c9685f680662665464a5b9130218329746cf3435f27e19103
|
|
| MD5 |
40377240326e76d0d3646622dd72df1d
|
|
| BLAKE2b-256 |
4ee6c3b3d91f61716973a27f23fd35ecf1a20a925c2f64893e2c311d535a6f2f
|
