{"id":13530585,"url":"https://github.com/apiiro/combobulator","last_synced_at":"2026-01-16T16:43:09.631Z","repository":{"id":45131825,"uuid":"426342117","full_name":"apiiro/combobulator","owner":"apiiro","description":"Dependency Combobulator","archived":false,"fork":false,"pushed_at":"2024-01-10T08:26:30.000Z","size":239,"stargazers_count":93,"open_issues_count":14,"forks_count":7,"subscribers_count":3,"default_branch":"main","last_synced_at":"2025-04-01T18:50:30.849Z","etag":null,"topics":["dependency-confusion","sdlc","secure-coding","security"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/apiiro.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2021-11-09T18:29:36.000Z","updated_at":"2025-03-15T21:17:50.000Z","dependencies_parsed_at":"2024-06-21T17:31:10.114Z","dependency_job_id":"ee8f3745-17e2-4587-87d9-b95e626f3a37","html_url":"https://github.com/apiiro/combobulator","commit_stats":null,"previous_names":[],"tags_count":1,"template":false,"template_full_name":null,"purl":"pkg:github/apiiro/combobulator","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apiiro%2Fcombobulator","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apiiro%2Fcombobulator/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apiiro%2Fcombobulator/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apiiro%2Fcombobulator/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/apiiro","download_url":"https://codeload.github.com/apiiro/combobulator/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/apiiro%2Fcombobulator/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":28480066,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-01-16T11:59:17.896Z","status":"ssl_error","status_checked_at":"2026-01-16T11:55:55.838Z","response_time":107,"last_error":"SSL_read: unexpected eof while reading","robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":false,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["dependency-confusion","sdlc","secure-coding","security"],"created_at":"2024-08-01T07:00:52.136Z","updated_at":"2026-01-16T16:43:09.602Z","avatar_url":"https://github.com/apiiro.png","language":"Python","readme":"# Dependency Combobulator\n![BHEU BADGE](docs/bheu21.svg) ![python](https://img.shields.io/badge/Python-14354C) ![maintained](https://img.shields.io/badge/Maintained%3F-yes-green.svg)\n\nDependency Combobulator is an Open-Source, modular and extensible framework to detect and prevent dependency confusion leakage and potential attacks. This facilitates a holistic approach for ensuring secure application releases that can be evaluated against different sources (e.g., GitHub Packages, JFrog Artifactory) and many package management schemes (e.g., npm, maven).\n\n### Intended Audiences\n\nThe framework can be used by security auditors, pentesters and even baked into an enterprise's application security program and release cycle in an automated fashion.\n### Main features\n* Pluggable - interject on commit level, build, release steps in SDLC.\n* Expandable - easily add your own package management scheme or code source of choice\n* General-purpose Heuristic-Engine - an abstract package data model provides agnostic heuristic approach\n* Supporting wide range of technologies\n* Flexible - decision trees can be determined upon insights or verdicts provided by the toolkit\n\n\n### Easly extensible\n\nThe project is putting practicionar's ability to extend and fit the toolkit to her own specific needs. As such, it is designed to be able to extend it to other sources, public registries, package management schemes and extending the abstract model and accompnaied heuristics engine.\n\n\n## Installation\n\nDependency Combobulator is ready to work with as it is - just `git clone` or download the package from https://github.com/apiiro/combobulator\n\nMake sure to install required dependencies by running:\n\n`pip install -r requirements.txt`\n\n## Arguments (--help)\n```\n  -h, --help            show this help message and exit\n  -t {npm,maven}, --type {npm,maven}\n                        Package Manager Type, i.e: npm, maven\n  -l LIST_FROM_FILE, --load_list LIST_FROM_FILE\n                        Load list of dependencies from a file\n  -d FROM_SRC, --directory FROM_SRC\n                        Extract dependencies from local source repository\n  -p--package SINGLE    Name a single package.\n  -c CSV, --csv CSV     Export packages properties onto CSV file\n  -gh GITHUB_TOKEN, --github GITHUB_TOKEN\n                        GitHub Access Token (Overrides .env file setting)\n  -a {compare,comp,heuristics,heur}, --analysis {compare,comp,heuristics,heur}\n                        Required analysis level - compare (comp), heuristics\n                        (heur) (default: compare)\n\nApiiro \u003cHeart\u003e Community\n```\nSupported package types (-t, --t): npm, maven\n\nSupported source dependency assessment:\n- From file containing the dependency identifiers line-by-line. (-l, --load_list)\n- By analyzing the appropriate repo's software bill-of-materials (e.g. package.json, pom.xml) (-d, --directory)\n- Naming a single identifier (-p, --package)\n\nAnalysis level is customizable as you can build your own preferred analysis profile in seconds. Dependency Combobulator does come with several analysis levels out-of-the-box, selected by -a, --analysis\n\nSupported output format:\n- Screen stdout (default)\n- CSV export to designated file -(-CSV)\n\n## Usage examples\n\nhttps://user-images.githubusercontent.com/90651458/140915800-c267034b-90c9-42d1-b12a-83e12f70d44e.mp4\n\n\n## Credits\n\nThe project is maintained and sponsored by Apiiro with 💜\n\nWe honor great developers \u0026 AppSec practitioners with a passion for change 🙏\n","funding_links":[],"categories":["OSS and Dependency management","DevSecOps","Dependency intelligence"],"sub_categories":["Dependency confusion"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapiiro%2Fcombobulator","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fapiiro%2Fcombobulator","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fapiiro%2Fcombobulator/lists"}