A lightweight OS-level supply chain attack guard for Python
Project description
supply_chain_guard https://pypi.org/project/supply-chain-guard/
🛡 Features
- Import Interception: Blocks unauthorized access to sensitive environment variables (e.g.,
AWS_SECRET_ACCESS_KEY,DATABASE_URL) during package initialization. - File System Guard: Prevents third-party packages from reading sensitive files like
~/.ssh/id_rsaor~/.aws/credentials. - OS-level Telemetry & Execution Prevention: Uses Python's native Audit Hooks (PEP 578) to actively block remote code execution (
os.system,subprocess) and reverse shell network connections (socket.connect) at the moment a suspicious package is imported.
🚀 Installation
Install the package via pip:
pip install supply-chain-guard
🛡️ Usage
Option 1: Direct Import
Import the guard at the very first line of your entry point script (main.py, app.py, etc.) to protect your application:
import supply_chain_guard # Protection starts here
import requests
# ... your other imports
Option 2: Protect Environment
- Run in your environment 'setup_protection.sh' it will make your repository protected as long as you use this (virtual) environment
chmod +x ./setup_protection.sh
- Execute setup_protection.sh
./setup_protection.sh
Option 3: Protecting Jupyter Notebook Servers
If you manage a Jupyter server for students or a team, you can enforce security globally. This ensures that every notebook is protected, even if users try to install malicious packages themselves.
Steps for Administrator:
-
Install the package in the Python environment used by your Jupyter server:
pip install supply-chain-guard
-
Get the startup directory for IPython Notebook
python -c "from IPython import get_ipython; print(get_ipython().profile_dir.startup_dir)"
-
Create '0_force_imports.py'
# ~/.ipython/profile_default/startup/force_imports.py try: import supply_chain_guard print("✅ Supply Chain Guard installed") except ImportError as e: print(f"⚠️ Import Not implemented: {e}")
-
Restart IPyhton Notebook Server and it will force 'supply_chain_guard' to all kernels of Jupyter
Installation by hand
python3 -m venv venv
source venv/bin/activate
pip install -e .
установка тестовых пакетов
pip install -e test_package/clean_pkg
pip install -e test_package/malware_pkg
pip install -e test_package/sheep_package #имеет зависимость от 'вредоносного' wolf_package
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Filter files by name, interpreter, ABI, and platform.
If you're not sure about the file name format, learn more about wheel file names.
Copy a direct link to the current filters
File details
Details for the file supply_chain_guard-0.2.0.tar.gz.
File metadata
- Download URL: supply_chain_guard-0.2.0.tar.gz
- Upload date:
- Size: 5.0 kB
- Tags: Source
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
d321d3fff31f4fc55a0c74845a144adf02bc58f92d3ef0d0523618c3d56d8298
|
|
| MD5 |
43acf0dd3d161e0760c3d69c2c2bda33
|
|
| BLAKE2b-256 |
dc4e3c86cfdad85ed17afa72e4c56a36774b862080084bccb1287a94192ce7d0
|
File details
Details for the file supply_chain_guard-0.2.0-py3-none-any.whl.
File metadata
- Download URL: supply_chain_guard-0.2.0-py3-none-any.whl
- Upload date:
- Size: 5.2 kB
- Tags: Python 3
- Uploaded using Trusted Publishing? No
- Uploaded via: twine/6.2.0 CPython/3.9.6
File hashes
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 |
81461b485326ff5a15448a9416de3764c024de9279811bb745d6ae8fc3751373
|
|
| MD5 |
ac0eb123192613537790e08e4ce0b683
|
|
| BLAKE2b-256 |
6811879a6df324f29c1e2854ad66e6308c24b693a3a8ca4676a63dcd5fbb8845
|
