CLI tool for auditing open-source packages: version, CVEs, downloads, and replacement validation

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rdwj from gravatar.com rdwj

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Wes Jackson
  • Tags audit , cve , dependencies , packages , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

veripak

CLI tool for auditing open-source packages.

Install

pip install veripak

Setup

vpk is available as a shorthand alias for veripak in all commands below.

veripak config

Configures your LLM backend (Ollama, Anthropic, OpenAI, or vLLM self-hosted), Tavily API key, and optional NVD API key.

Usage

# Check a single package
veripak check django --ecosystem python

# Include versions in use for CVE matching
veripak check log4j --ecosystem java --versions 2.14.0,2.15.0

# Machine-readable JSON
veripak check openssl --ecosystem c --json

# Skip CVE check (faster)
veripak check requests --ecosystem python --no-cves

Additional flags not shown above: --replacement (known replacement package name), --release-notes-url, --repository-url, --homepage, --download-url (supply known URLs to skip discovery), --no-download (skip download validation), and --no-summary (skip AI security summary). Run veripak check --help for the full list.

How It Works

                    +-------------------------+
                    |      PACKAGE INPUT      |
                    |  name, versions_in_use, |
                    |  urls, replacement_name |
                    +-----------+-------------+
                                |
                    +-----------v-------------+
                    |   E0: ECOSYSTEM AGENT   |
                    |                         |
                    |  1. LLM: "What is this?"|
                    |     -> "java" (instant)  |
                    |                         |
                    |  2. Validate: probe     |
                    |     Maven/PyPI/npm/etc  |
                    |     -> confirmed        |
                    |                         |
                    |  3. If no hit: Tavily   |
                    |     search to confirm   |
                    +-----------+-------------+
                                |
                  +-------------+-------------+
                  |       FORK (parallel)     |
                  |                           |
         +--------v--------+     +------------v-----------+
         |  TRACK A        |     |  TRACK B               |
         |                 |     |                        |
         |  N1: VERSION    |     |  EOL AGENT             |
         |  (registry API) |     |  (single agentic loop) |
         |       |         |     |                        |
         |       v         |     |  - Is version EOL?     |
         |  N2: DOWNLOAD   |     |  - Is project dead?    |
         |   discovery     |     |  - What's the          |
         |       |         |     |    replacement?        |
         |       v         |     |                        |
         |  N3: DOWNLOAD   |     |                        |
         |   validation    |     +------------+-----------+
         +--------+--------+                  |
                  +-------------+-------------+
                                |
                          JOIN  |
                                |
                  +-------------+-------------+
                  |       FORK (parallel)     |
                  |                           |
         +--------v--------+     +------------v-----------+
         |  TRACK C        |     |  TRACK D               |
         |                 |     |                        |
         |  N5: REPLACEMENT|     |  CVE AGENT             |
         |  VALIDATION     |     |  (agentic loop)        |
         |  (only if EOL   |     |                        |
         |   agent found   |     |  Uses: version from    |
         |   a replacement |     |  Track A, EOL status   |
         |   to validate)  |     |  from Track B          |
         +--------+--------+     +------------+-----------+
                  |                            |
                  +-------------+--------------+
                                |
                          JOIN  |
                                |
                    +-----------v-------------+
                    |  N6: SUMMARY AGENT      |
                    |                         |
                    |  All raw results +      |
                    |  deterministic guards + |
                    |  HITL flags propagated  |
                    +-----------+-------------+
                                |
                    +-----------v-------------+
                    |    FINAL RESULT JSON    |
                    +-------------------------+

Four specialized LLM agents (Ecosystem, EOL, CVE, Summary) replace fixed code paths, enabling reasoning about gaps and iterating on incomplete results. The agents use tools (registry probes, web search, GitHub API, advisory page fetching) and can flag fields for human review when data sources are inaccessible or signals are contradictory. Tracks A+B and C+D run in parallel via ThreadPoolExecutor for wall-clock speedup without async complexity.

Supported ecosystems

Ecosystem Version source CVE source
python PyPI API OSV.dev
javascript npm registry OSV.dev
java Maven Central OSV.dev
go Go proxy OSV.dev
dotnet NuGet API OSV.dev
perl MetaCPAN OSV.dev
php Packagist OSV.dev
c, cpp, system, desktop-app, driver Tavily + LLM NVD API

LLM backends

veripak uses a local or hosted LLM to extract version information from web search results for non-programmatic ecosystems (C, C++, system packages, etc.).

Supported backends: Ollama (default), Anthropic, OpenAI, vLLM (self-hosted).

Changelog

0.2.0

  • Parallel agent-based pipeline (v2) replacing serial checker pipeline
  • Token usage tracking and cost estimation
  • Agent budget exhaustion handling
  • EOL cross-pollination from EOL agent to version track
  • Summary prompt refinements for accuracy
  • Project automation: CLAUDE.md, /create-release slash command, .claude/ configuration

0.1.0

  • Initial release with hybrid agent/checker architecture
  • CLI with veripak check and veripak config commands
  • Support for Ollama, Anthropic, OpenAI, and vLLM backends
  • CI/CD pipeline with GitHub Actions and PyPI trusted publishing

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rdwj from gravatar.com rdwj

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Wes Jackson
  • Tags audit , cve , dependencies , packages , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.6.3

0.6.2

0.6.1

0.6.0

0.5.0

0.4.1

0.4.0

0.3.1

0.3.0

0.2.1

This version

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

veripak-0.2.0.tar.gz (75.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

veripak-0.2.0-py3-none-any.whl (70.1 kB view details)

Uploaded Python 3

File details

Details for the file veripak-0.2.0.tar.gz.

File metadata

  • Download URL: veripak-0.2.0.tar.gz
  • Upload date:
  • Size: 75.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for veripak-0.2.0.tar.gz
Algorithm Hash digest
SHA256 7851e6238b9c4d00f329633a4ae16899c830131373593f314334f08815fd44ea
MD5 c005a462fb89f8c415daae2919e789a3
BLAKE2b-256 03632760293de79d20e663f93c5a4c10526eab7bd338e22f285057f77bc48062

See more details on using hashes here.

Provenance

The following attestation bundles were made for veripak-0.2.0.tar.gz:

Publisher: release.yml on rdwj/veripak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file veripak-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: veripak-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 70.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for veripak-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 39fe2e64796295f9593ecfd3eb5aa83a5bf8e599b36b32dc6b03c400a3c6b38b
MD5 5dfdb55abfdf1502cf318b025348422c
BLAKE2b-256 6e619643e20a21fe851870e518209d3572d49fbd07fa24ed8b48b19a776f66fb

See more details on using hashes here.

Provenance

The following attestation bundles were made for veripak-0.2.0-py3-none-any.whl:

Publisher: release.yml on rdwj/veripak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page