{"id":15190185,"url":"https://github.com/avilum/secimport","last_synced_at":"2025-05-16T01:05:05.135Z","repository":{"id":44367483,"uuid":"509868578","full_name":"avilum/secimport","owner":"avilum","description":"The first open-source eBPF sandbox for Python (macOS/Linux): Secure libraries, block RCE, and enforce precise syscall control. Dive into module \u0026 package-level security now.","archived":false,"fork":false,"pushed_at":"2025-04-28T23:14:58.000Z","size":349,"stargazers_count":217,"open_issues_count":1,"forks_count":17,"subscribers_count":7,"default_branch":"master","last_synced_at":"2025-05-11T11:39:00.825Z","etag":null,"topics":["3rd-party","bpftrace","dtrace","ebpf","import","linux","profiling","python","rce","sandbox","seccomp","security","security-tools","tracing"],"latest_commit_sha":null,"homepage":"https://avilum.github.io/secimport/","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/avilum.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"docs/CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":"SECURITY.md","support":null,"governance":null,"roadmap":"docs/ROADMAP.md","authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2022-07-02T21:51:32.000Z","updated_at":"2025-05-02T09:31:32.000Z","dependencies_parsed_at":"2023-11-25T11:29:50.053Z","dependency_job_id":"98d329a9-1087-49da-ab57-0fb1aaa62bdb","html_url":"https://github.com/avilum/secimport","commit_stats":{"total_commits":135,"total_committers":8,"mean_commits":16.875,"dds":0.3481481481481481,"last_synced_commit":"8e0a0be43114b1726d1a2629769d6fdd6d76f7de"},"previous_names":[],"tags_count":22,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avilum%2Fsecimport","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avilum%2Fsecimport/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avilum%2Fsecimport/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/avilum%2Fsecimport/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/avilum","download_url":"https://codeload.github.com/avilum/secimport/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":254448579,"owners_count":22072764,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["3rd-party","bpftrace","dtrace","ebpf","import","linux","profiling","python","rce","sandbox","seccomp","security","security-tools","tracing"],"created_at":"2024-09-27T20:05:50.701Z","updated_at":"2025-05-16T01:05:05.090Z","avatar_url":"https://github.com/avilum.png","language":"Python","readme":"# secimport\n![macOS](https://img.shields.io/badge/Platform-macOS-blue)\n![Linux](https://img.shields.io/badge/Platform-Linux-blue)\n\n[![Upload Python Package](https://github.com/avilum/secimport/actions/workflows/python-publish.yml/badge.svg)](https://github.com/avilum/secimport/actions/workflows/python-publish.yml)\n\n\u003c!-- ![](https://img.shields.io/badge/Test_Coverage-90%-blue) --\u003e\n\n## Module-Level Sandboxing for Python Applications\n\nsecimport is an eBPF-based security toolkit that enforces syscall restrictions per Python module, providing granular control over your application's security profile. Think of it as seccomp-bpf for Linux, but operating at the Python module level.\n\n[\u003ca href=\"https://star-history.com/#avilum/secimport\u0026Date\"\u003e\n \u003cpicture\u003e\n   \u003csource media=\"(prefers-color-scheme: dark)\" srcset=\"https://api.star-history.com/svg?repos=avilum/secimport\u0026type=Date\u0026theme=dark\" /\u003e\n   \u003csource media=\"(prefers-color-scheme: light)\" srcset=\"https://api.star-history.com/svg?repos=avilum/secimport\u0026type=Date\" /\u003e\n   \u003cimg alt=\"Star History Chart\" src=\"https://api.star-history.com/svg?repos=avilum/secimport\u0026type=Date\" /\u003e\n \u003c/picture\u003e\n\u003c/a\u003e](https://star-history.com/#avilum/secimport\u0026Date)\n\n## Key Features\n\n- **Module-Level Security**: Define and enforce syscall restrictions per Python module\n- **Automated Profiling**: Traces your application to create tailored security profiles\n- **Multiple Enforcement Modes**: Log, stop, or kill processes on policy violations\n- **Production Ready**: Negligible performance impact thanks to eBPF\n- **Supply Chain Protection**: Mitigate risks from vulnerable dependencies\n\n## Quick Start\n\n### Using Docker (Recommended)\n\n```bash\ngit clone https://github.com/avilum/secimport.git\ncd secimport/docker\n./build.sh \u0026\u0026 ./run.sh\n```\nCommand line:\n```\nsecimport --help\n\n Usage: python -m secimport.cli [OPTIONS] COMMAND [ARGS]...\n\n secimport is a comprehensive toolkit designed to enable the tracing, construction, and execution of secure Python runtimes. It leverages USDT probes and eBPF/DTrace technologies to enhance overall security measures.\n WORKFLOW: 1. secimport trace / secimport shell 2. secimport build 3. secimport run\n QUICKSTART: $ secimport interactive\n For more details, please see https://github.com/avilum/secimport/wiki/Command-Line-Usage\n\n╭─ Options ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ --install-completion Install completion for the current shell. │\n│ --show-completion Show completion for the current shell, to copy it or customize the installation. │\n│ --help Show this message and exit. │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n╭─ Commands ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╮\n│ trace Trace a Python process using an entrypoint or interactive shell. │\n│ shell Alias for 'trace'. │\n│ trace-pid Trace a running process by PID. │\n│ build Build a sandbox profile from a trace log. │\n│ run Run a Python process inside the sandbox. │\n│ interactive Run secimport in interactive mode. │\n╰────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────╯\n```\n\n## Creating Your First Sandbox\n\n```bash\nsecimport interactive\n\n# In the Python shell that opens:\n\u003e\u003e\u003e secimport trace # Start tracing\n\u003e\u003e\u003e import requests # Perform actions you want to profile\n\u003e\u003e\u003e # Press CTRL+D to stop tracing\n\n\u003e\u003e\u003e secimport build # Build sandbox from trace\n\u003e\u003e\u003e secimport run # Run with enforcement\n```\n\n## Advanced Usage\n\n### Command Line Options\n\n```bash\nsecimport trace # Trace a new Python process\nsecimport trace_pid \u003cPID\u003e # Trace an existing process\nsecimport build # Build sandbox from trace\nsecimport run [options] # Run with enforcement\n```\n\n### Enforcement Modes\n\n```bash\n# Stop on violation\nsecimport run --stop_on_violation=true\n\n# Kill on violation\nsecimport run --kill_on_violation=true\n```\n\n### Python API\n\n```python\nimport secimport\n\n# Replace standard import with secure import\nrequests = secimport.secure_import('requests', allowed_syscalls=['open', 'read', ...])\n```\n\n## Manual Installation\n\n1. Install Python with USDT probes:\n\n ```bash\n # Configure Python with --enable-dtrace\n # See detailed instructions in our wiki\n ```\n\n2. Install a supported backend (eBPF or DTrace)\n\n ```bash\n # Ubuntu/Debian\n apt-get install bpftrace\n\n # For other platforms, see our Installation wiki\n ```\n\n3. Install secimport\n ```bash\n pip install secimport\n ```\n\n## seccomp-bpf support using nsjail\n\nBeside the sandbox that secimport builds, \u003cbr\u003e\nThe `secimport build` command creates an \u003ca href=\"https://github.com/google/nsjail\"\u003ensjail\u003c/a\u003e sandbox with seccomp profile for your traced code.\u003cbr\u003e `nsjail` enables namespace sandboxing with seccomp on linux\u003cbr\u003e\n`secimport` automatically generates seccomp profiles to use with `nsjail` as executable bash script.\nIt can be used to limit the syscalls of the entire python process, as another layer of defence.\n\n## Documentation\n\n- [Installation Guide](https://github.com/avilum/secimport/wiki/Installation)\n- [Command Line Usage](https://github.com/avilum/secimport/wiki/Command-Line-Usage)\n- [API Reference](https://github.com/avilum/secimport/wiki/Python-API)\n- [Example Sandboxes](https://github.com/avilum/secimport/wiki/Sandbox-Examples)\n\n## Learn More\n\n### Technical Resources\n\n- https://www.oligo.security/\n- [Talk: secimport on PyCon](https://www.youtube.com/watch?v=6DJNQtBJvLA)\n- [Talk: secimport at BSides](https://youtu.be/nRV0ulYMsxU?t=1257)\n- Blog Posts:\n - [secimport + DTrace](https://infosecwriteups.com/sandboxing-python-modules-in-your-code-1e590d71fc26?source=friends_link\u0026sk=5e9a2fa4d4921af0ec94f175f7ee49f9)\n - [secimport + eBPF + PyTorch](https://infosecwriteups.com/securing-pytorch-models-with-ebpf-7f75732b842d?source=friends_link\u0026sk=14d8db403aaf66724a8a69b4dea24e12)\n - [secimport + eBPF + FastAPI](https://avi-lumelsky.medium.com/secure-fastapi-with-ebpf-724d4aef8d9e?source=friends_link\u0026sk=b01a6b97ef09003b53cd52c479017b03)\n\n\n\n## Contributing\n\nWe welcome contributions! See our [Contributing Guide](https://github.com/avilum/secimport/blob/master/docs/CONTRIBUTING.md) for details.\n\n## License\n\nThis project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.\n","funding_links":[],"categories":["Point-of-use validations","Sandboxing \u0026 Isolation"],"sub_categories":["Vulnerability information exchange"],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Favilum%2Fsecimport","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Favilum%2Fsecimport","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Favilum%2Fsecimport/lists"}