Pre-commit hook for scanning dependencies against supply chain attacks
Project description
stillrunning-pre-commit
Pre-commit hook for scanning Python and Node.js dependencies against supply chain attacks.
Installation
Add to your .pre-commit-config.yaml:
repos:
- repo: https://github.com/johhnyg/stillrunning-pre-commit
rev: v1.0.0
hooks:
- id: stillrunning
Then install:
pre-commit install
What It Scans
requirements.txt,requirements-dev.txt, etc.package.json,package-lock.jsonPipfilepyproject.tomlsetup.py(install_requires)
Configuration
Create ~/.stillrunning/config.json:
{
"token": "sr_your_token_here",
"block_dangerous": true,
"block_suspicious": false
}
Or set the STILLRUNNING_TOKEN environment variable.
Example Output
🛡️ stillrunning security scan
Scanning 15 packages from requirements.txt
✅ CLEAN requests==2.31.0
⚠️ SUSPICIOUS sketchy-lib==1.0.0 (score: 65)
→ Obfuscated code patterns detected
🚫 DANGEROUS evil-pkg==0.1.0 (score: 95)
→ Known malicious package (reverse shell)
❌ 1 dangerous package(s) found — commit blocked
Free vs Paid
| Feature | Free | With Token |
|---|---|---|
| Known malicious packages | Unlimited | Unlimited |
| Threat feed database | Unlimited | Unlimited |
| AI analysis of unknown packages | - | 100-10000/day |
Get a token at stillrunning.io/pricing
Options
The hook accepts these options in .pre-commit-config.yaml:
hooks:
- id: stillrunning
stages: [commit] # or [push] for push-time scanning
Skip Hook
To skip the hook for a single commit:
SKIP=stillrunning git commit -m "message"
Manual Usage
pip install stillrunning-pre-commit
stillrunning-check requirements.txt package.json
License
MIT
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file stillrunning_pre_commit-1.0.0.tar.gz.
File metadata
- Download URL: stillrunning_pre_commit-1.0.0.tar.gz
- Upload date:
- Size: 5.3 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
9d6ef69754942ef829893bec55266d2cadc1249aa86373cd4b84a63be3c6fe73
|
|
| MD5 |
6a46a0c72748706b6b498975e12ebb88
|
|
| BLAKE2b-256 |
5ea95e4a16db80f20b37cbec9bcc457f89ef3e856d399a83f4d8d2e67117a4c2
|
File details
Details for the file stillrunning_pre_commit-1.0.0-py3-none-any.whl.
File metadata
- Download URL: stillrunning_pre_commit-1.0.0-py3-none-any.whl
- Upload date:
- Size: 5.8 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.12.3
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d69cb612e894302c56edd36a4bebf07b78adbee2d9e9c025ef3246ff8a1cfe3d
|
|
| MD5 |
ae20cbefb51919c97c7c00a6841012e7
|
|
| BLAKE2b-256 |
a06920686946d647743802b45fec52fc164735ff05fe436fbb3c0c75d894547b
|
