CLI tool for auditing open-source packages: version, CVEs, downloads, and replacement validation

Navigation

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rdwj from gravatar.com rdwj

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Wes Jackson
  • Tags audit , cve , dependencies , packages , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers
Report project as malware

Project description

veripak

CLI tool for auditing open-source packages.

Install

pip install veripak

Setup

vpk is available as a shorthand alias for veripak in all commands below.

veripak config

Configures your LLM backend (Ollama, Anthropic, OpenAI, or vLLM self-hosted), Tavily API key, and optional NVD API key.

Usage

# Check a single package
veripak check django --ecosystem python

# Include versions in use for CVE matching
veripak check log4j --ecosystem java --versions 2.14.0,2.15.0

# Machine-readable JSON
veripak check openssl --ecosystem c --json

# Skip CVE check (faster)
veripak check requests --ecosystem python --no-cves

Additional flags not shown above: --replacement (known replacement package name), --release-notes-url, --repository-url, --homepage, --download-url (supply known URLs to skip discovery), --no-download (skip download validation), and --no-summary (skip AI security summary). Run veripak check --help for the full list.

How It Works

                    +-------------------------+
                    |      PACKAGE INPUT      |
                    |  name, versions_in_use, |
                    |  urls, replacement_name |
                    +-----------+-------------+
                                |
                    +-----------v-------------+
                    |   E0: ECOSYSTEM AGENT   |
                    |                         |
                    |  1. LLM: "What is this?"|
                    |     -> "java" (instant)  |
                    |                         |
                    |  2. Validate: probe     |
                    |     Maven/PyPI/npm/etc  |
                    |     -> confirmed        |
                    |                         |
                    |  3. If no hit: Tavily   |
                    |     search to confirm   |
                    +-----------+-------------+
                                |
                  +-------------+-------------+
                  |       FORK (parallel)     |
                  |                           |
         +--------v--------+     +------------v-----------+
         |  TRACK A        |     |  TRACK B               |
         |                 |     |                        |
         |  N1: VERSION    |     |  EOL AGENT             |
         |  (registry API) |     |  (single agentic loop) |
         |       |         |     |                        |
         |       v         |     |  - Is version EOL?     |
         |  N2: DOWNLOAD   |     |  - Is project dead?    |
         |   discovery     |     |  - What's the          |
         |       |         |     |    replacement?        |
         |       v         |     |                        |
         |  N3: DOWNLOAD   |     |                        |
         |   validation    |     +------------+-----------+
         +--------+--------+                  |
                  +-------------+-------------+
                                |
                          JOIN  |
                                |
                  +-------------+-------------+
                  |       FORK (parallel)     |
                  |                           |
         +--------v--------+     +------------v-----------+
         |  TRACK C        |     |  TRACK D               |
         |                 |     |                        |
         |  N5: REPLACEMENT|     |  CVE AGENT             |
         |  VALIDATION     |     |  (agentic loop)        |
         |  (only if EOL   |     |                        |
         |   agent found   |     |  Uses: version from    |
         |   a replacement |     |  Track A, EOL status   |
         |   to validate)  |     |  from Track B          |
         +--------+--------+     +------------+-----------+
                  |                            |
                  +-------------+--------------+
                                |
                          JOIN  |
                                |
                    +-----------v-------------+
                    |  N6: SUMMARY AGENT      |
                    |                         |
                    |  All raw results +      |
                    |  deterministic guards + |
                    |  HITL flags propagated  |
                    +-----------+-------------+
                                |
                    +-----------v-------------+
                    |    FINAL RESULT JSON    |
                    +-------------------------+

Four specialized LLM agents (Ecosystem, EOL, CVE, Summary) replace fixed code paths, enabling reasoning about gaps and iterating on incomplete results. The agents use tools (registry probes, web search, GitHub API, advisory page fetching) and can flag fields for human review when data sources are inaccessible or signals are contradictory. Tracks A+B and C+D run in parallel via ThreadPoolExecutor for wall-clock speedup without async complexity.

Supported ecosystems

Ecosystem Version source CVE source
python PyPI API OSV.dev
javascript npm registry OSV.dev
java Maven Central OSV.dev
go Go proxy OSV.dev
dotnet NuGet API OSV.dev
perl MetaCPAN OSV.dev
php Packagist OSV.dev
c, cpp, system, desktop-app, driver Tavily + LLM NVD API

LLM backends

veripak uses a local or hosted LLM to extract version information from web search results for non-programmatic ecosystems (C, C++, system packages, etc.).

Supported backends: Ollama (default), Anthropic, OpenAI, vLLM (self-hosted).

Changelog

0.2.0

  • Parallel agent-based pipeline (v2) replacing serial checker pipeline
  • Token usage tracking and cost estimation
  • Agent budget exhaustion handling
  • EOL cross-pollination from EOL agent to version track
  • Summary prompt refinements for accuracy
  • Project automation: CLAUDE.md, /create-release slash command, .claude/ configuration

0.1.0

  • Initial release with hybrid agent/checker architecture
  • CLI with veripak check and veripak config commands
  • Support for Ollama, Anthropic, OpenAI, and vLLM backends
  • CI/CD pipeline with GitHub Actions and PyPI trusted publishing

Project details

Verified details

These details have been verified by PyPI
Project links
GitHub Statistics
Maintainers
Avatar for rdwj from gravatar.com rdwj

Unverified details

These details have not been verified by PyPI
Meta
  • License: MIT License (MIT)
  • Author: Wes Jackson
  • Tags audit , cve , dependencies , packages , security
  • Requires: Python >=3.10
  • Provides-Extra: dev
Classifiers

Release history Release notifications | RSS feed

0.6.3

0.6.2

0.6.1

0.6.0

0.5.0

0.4.1

0.4.0

0.3.1

0.3.0

This version

0.2.1

0.2.0

0.1.0

Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

veripak-0.2.1.tar.gz (75.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

veripak-0.2.1-py3-none-any.whl (70.1 kB view details)

Uploaded Python 3

File details

Details for the file veripak-0.2.1.tar.gz.

File metadata

  • Download URL: veripak-0.2.1.tar.gz
  • Upload date:
  • Size: 75.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for veripak-0.2.1.tar.gz
Algorithm Hash digest
SHA256 759b79c40bf54324913389734e3f43fe25e8043f48bca037d0731fd3c7a251b1
MD5 aaa0c2de14d2d701af711bd08763416c
BLAKE2b-256 48d3692c8b368033b58be4fe7473a9162bea0c6baa5d4aad2ae3a639dc4a9743

See more details on using hashes here.

Provenance

The following attestation bundles were made for veripak-0.2.1.tar.gz:

Publisher: release.yml on rdwj/veripak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

File details

Details for the file veripak-0.2.1-py3-none-any.whl.

File metadata

  • Download URL: veripak-0.2.1-py3-none-any.whl
  • Upload date:
  • Size: 70.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? Yes
  • Uploaded via: twine/6.1.0 CPython/3.13.7

File hashes

Hashes for veripak-0.2.1-py3-none-any.whl
Algorithm Hash digest
SHA256 54759c71267febba94f355a85da3666ebc8d86a86c46aa4bab58186799e04033
MD5 c7cbffa0952dddb48dc247134ec18d63
BLAKE2b-256 bb67bb0ddc16c996a998b8379067cee9ae016ac686020d8f0647fbed3cd44537

See more details on using hashes here.

Provenance

The following attestation bundles were made for veripak-0.2.1-py3-none-any.whl:

Publisher: release.yml on rdwj/veripak

Attestations: Values shown here reflect the state when the release was signed and may no longer be current.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page