{"id":50443676,"url":"https://github.com/ericrihm/depfence","last_synced_at":"2026-05-31T20:02:09.930Z","repository":{"id":355057361,"uuid":"1226580828","full_name":"ericrihm/depfence","owner":"ericrihm","description":"AI-aware dependency security scanner — 40+ scanners: prompt injection, slopsquatting, MCP auditing, AI-BOM, supply chain attack detection, SBOM generation","archived":false,"fork":false,"pushed_at":"2026-05-30T19:27:15.000Z","size":682,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2026-05-30T20:14:58.553Z","etag":null,"topics":[],"latest_commit_sha":null,"homepage":null,"language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/ericrihm.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2026-05-01T15:26:15.000Z","updated_at":"2026-05-30T19:27:18.000Z","dependencies_parsed_at":null,"dependency_job_id":null,"html_url":"https://github.com/ericrihm/depfence","commit_stats":null,"previous_names":["ericrihm/depfence"],"tags_count":0,"template":false,"template_full_name":null,"purl":"pkg:github/ericrihm/depfence","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericrihm%2Fdepfence","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericrihm%2Fdepfence/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericrihm%2Fdepfence/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericrihm%2Fdepfence/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/ericrihm","download_url":"https://codeload.github.com/ericrihm/depfence/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/ericrihm%2Fdepfence/sbom","scorecard":null,"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":33746514,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-05-26T15:22:16.424Z","status":"online","status_checked_at":"2026-05-31T02:00:06.040Z","response_time":95,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":[],"created_at":"2026-05-31T20:02:09.073Z","updated_at":"2026-05-31T20:02:09.924Z","avatar_url":"https://github.com/ericrihm.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# depfence\n\n**Dependency security for the AI age.** 40+ scanners. One command.\n\n[![CI](https://img.shields.io/github/actions/workflow/status/ericrihm/depfence/ci.yml?label=CI)](https://github.com/ericrihm/depfence/actions/workflows/ci.yml)\n[![License: MIT](https://img.shields.io/badge/license-MIT-blue.svg)](LICENSE)\n[![Python 3.10+](https://img.shields.io/badge/python-3.10%2B-blue)](https://github.com/ericrihm/depfence)\n\n```bash\npip install depfence\ndepfence scan .\n```\n\n```\n depfence v0.5.0  scanning 142 packages across 3 lockfiles\n\n CRITICAL  node_modules/jqwik     prompt_injection  ANSI-hidden instruction override in source\n CRITICAL  pytorch-cuda-nightly   slopsquat         LLM hallucination match for torch (0.94)\n HIGH      lodash 4.17.20         npm_advisory      CVE-2021-23337  EPSS 0.71  KEV\n HIGH      req-utils 1.0.3        preinstall        install script exfiltrates $HOME/.ssh\n HIGH      .github/workflows/ci   ci_ai_bot         untrusted input to AI triage bot\n MEDIUM    transformers 4.38.0    model_scanner     unsafe torch.load without weights_only\n MEDIUM    @angulr/core           scope_squat       typosquatting @angular/core\n LOW       leftpad 0.0.3          freshness         no release in 847 days\n\n 8 findings  (2 critical, 3 high, 2 medium, 1 low)\n```\n\n---\n\n## The problem\n\nYour dependencies are an attack surface. Traditional scanners stop at CVEs. depfence goes further:\n\n| Traditional scanners check | depfence also catches |\n|---|---|\n| Known CVEs in lockfiles | Prompt injection hidden in source code targeting AI assistants |\n| Outdated packages | ANSI escape sequences making malicious text invisible to reviewers |\n| License compliance | LLM-hallucinated package names registered by attackers (slopsquatting) |\n| | MCP server misconfigs: tool shadowing, credential leakage, rug-pull attacks |\n| | Install scripts that exfiltrate SSH keys, env vars, or credentials |\n| | AI coding bots in CI/CD consuming untrusted GitHub issue/PR input |\n| | Commit messages and PR templates injecting instructions into AI reviewers |\n| | Pickle model weights with arbitrary code execution opcodes |\n\n---\n\n## Quick start\n\n```bash\n# Install\npip install depfence\n\n# Full scan\ndepfence scan .\n\n# Fast CI scan — only changed packages\ndepfence diff .\n\n# Single-package reputation check\ndepfence check requests -e pypi\n\n# Auto-fix vulnerable dependencies\ndepfence fix . --apply\n\n# Generate AI Bill of Materials\ndepfence ai-bom .\n```\n\n---\n\n## Scanners\n\n### Prompt injection \u0026 AI safety\n\nCatches attacks that target AI coding assistants — the tools your developers use every day.\n\n| Scanner | What it detects |\n|---|---|\n| `prompt_injection` | Adversarial LLM instructions in source code: comments, docstrings, strings, README, build scripts, package.json fields. 25 patterns with multi-pass encoding normalization. Detects ANSI escapes, zero-width Unicode, bidi overrides, and homoglyphs. [Background](https://arstechnica.com/security/2026/05/fed-up-with-vibe-coders-dev-sneaks-data-nuking-prompt-injection-into-their-code/) |\n| `git_message` | Injection in git commit messages and PR/issue templates targeting AI code review bots |\n| `ci_ai_bot` | [Clinejection](https://snyk.io/blog/cline-supply-chain-attack-prompt-injection-github-actions/)-class attacks: AI bots in CI/CD consuming untrusted `${{ github.event }}` input |\n| `mcp_scanner` | MCP server misconfigs: tool shadowing, rug-pull, credential leakage, prompt injection, TLS, version pinning. Fully offline, covers Claude/Cursor/VS Code/Windsurf/Zed |\n| `mcp_fingerprint` | MCP rug-pull detection via schema fingerprinting and parameter injection |\n\n### AI/ML model security\n\n| Scanner | What it detects |\n|---|---|\n| `slopsquat` | LLM-hallucinated package names registered by attackers |\n| `model_scanner` | Unsafe `torch.load`, pickle files, unverified HuggingFace pulls |\n| `model_integrity` | Checksum verification, SafeTensors header validation, size anomaly, prompt injection in model metadata |\n| `ai_vulns` | LangChain RCE, unsafe deserialization, `trust_remote_code`, `eval(response)` |\n| `ai_bom` | AI Bill of Materials: inventories models, MCP servers, and AI frameworks with risk scoring |\n| `docker_layer` | Prompt injection in Dockerfile labels, ENV, ARG, entrypoint, and local image metadata |\n\n### Supply chain attacks\n\n| Scanner | What it detects |\n|---|---|\n| `preinstall` | Install scripts: pipe-to-shell, credential theft, exfiltration (AST-level for Python) |\n| `dep_confusion` | Private registry misconfigs enabling namespace hijacking |\n| `scope_squatting` | npm scope typosquatting (`@angulr` vs `@angular`) |\n| `ownership` | Maintainer takeovers and version-order anomalies |\n| `provenance` | Missing or invalid SLSA attestations |\n| `behavioral` | Runtime red flags: eval, exec, child_process, DNS resolve, exfiltration endpoints |\n| `obfuscation` | Base64-exec, hex encoding, charcode, high entropy, ANSI escape content hiding |\n| `network` | Mining pools, webhook exfiltration, DNS tunneling, hardcoded IPs |\n| `reputation` | Low-trust packages: new, no repo, single maintainer |\n\n### Vulnerabilities\n\n| Scanner | What it detects |\n|---|---|\n| `osv` | OSV database — npm, PyPI, Cargo, Go, Maven, NuGet, Ruby, PHP, Swift |\n| `npm_advisory` / `pypi_advisory` | Ecosystem-specific advisories from GitHub Advisory DB |\n| `epss` | EPSS exploit probability scores for triage |\n| `kev` | CISA Known Exploited Vulnerabilities |\n\n### CI/CD \u0026 infrastructure\n\n| Scanner | What it detects |\n|---|---|\n| `gha_workflow` | Script injection, `pull_request_target` exploits, overly permissive permissions |\n| `gha_scanner` | Unpinned and compromised GitHub Actions |\n| `dockerfile` | Unpinned base images, root user, secrets in ENV/ARG |\n| `terraform` | Unpinned modules, HTTP sources, unverified namespaces |\n| `secrets` | AWS keys, GitHub PATs, private keys, Stripe tokens, DB connection strings |\n| `ci_secrets` | CI secret exposure correlated with suspicious package behavior |\n\n### Compliance \u0026 hygiene\n\n| Scanner | What it detects |\n|---|---|\n| `license_scanner` / `license_compat` | Copyleft compliance, license conflict detection |\n| `reachability` | Which vulnerable imports are actually reachable |\n| `phantom_deps` | Declared but never imported packages |\n| `freshness` | Unmaintained deps (no release in 2+ years) |\n| `pinning` | Unpinned deps, wildcard versions, missing lockfiles |\n| `sbom` | CycloneDX 1.5 and SPDX 2.3 generation |\n| `risk-score` | Composite A-F risk scores with OpenSSF Scorecard |\n\n---\n\n## Ecosystems\n\nnpm, PyPI, Cargo, Go, Maven, NuGet, RubyGems, Composer, Swift/SPM, Docker, HuggingFace, MCP, GitHub Actions.\n\n---\n\n## Output formats\n\n```bash\ndepfence scan . --format json | jq '.findings[] | select(.severity == \"CRITICAL\")'\ndepfence scan . --format sarif -o results.sarif\ndepfence sbom . --format cyclonedx -o sbom.json\n```\n\n| Format | Use case |\n|---|---|\n| `table` (default) | Local development |\n| `json` | Pipeline integration, scripting |\n| `html` | Shareable reports |\n| `sarif` | GitHub Code Scanning, Azure DevOps |\n| `cyclonedx` / `spdx` | SBOM delivery |\n\n---\n\n## CI/CD integration\n\n### GitHub Actions\n\n```yaml\n- uses: ericrihm/depfence@v1\n  with:\n    fail-on: high\n    format: sarif\n    upload-sarif: true\n```\n\n\u003cdetails\u003e\n\u003csummary\u003eFull workflow example\u003c/summary\u003e\n\n```yaml\nname: Dependency Security\non:\n  push:\n    branches: [main]\n    paths: ['**/package-lock.json', '**/requirements.txt', '**/Cargo.lock', '**/go.sum']\n  pull_request:\n    paths: ['**/package-lock.json', '**/requirements.txt', '**/poetry.lock']\n  schedule:\n    - cron: '0 6 * * 1'\n\njobs:\n  depfence:\n    runs-on: ubuntu-latest\n    permissions:\n      security-events: write\n    steps:\n      - uses: actions/checkout@v4\n      - uses: actions/setup-python@v5\n        with:\n          python-version: '3.12'\n      - run: pip install depfence\n      - run: depfence scan . --format sarif -o depfence.sarif --fail-on high\n      - uses: github/codeql-action/upload-sarif@v3\n        if: always()\n        with:\n          sarif_file: depfence.sarif\n          category: depfence\n```\n\n\u003c/details\u003e\n\n### Pre-commit hook\n\n```yaml\n# .pre-commit-config.yaml\nrepos:\n  - repo: https://github.com/ericrihm/depfence\n    rev: v0.5.0\n    hooks:\n      - id: depfence\n```\n\n---\n\n## Configuration\n\nPlace `depfence.yml` at the project root for policy-as-code:\n\n\u003cdetails\u003e\n\u003csummary\u003edepfence.yml example\u003c/summary\u003e\n\n```yaml\nscanners:\n  exclude: [phantom_deps]\n  fail_on: high\n\nrules:\n  - name: no-gpl-in-production\n    match: { license_category: copyleft }\n    action: block\n\n  - name: require-provenance-for-popular\n    match: { weekly_downloads_min: 100000, has_provenance: false }\n    action: block\n\n  - name: no-install-scripts-npm\n    match: { has_install_scripts: true }\n    action: block\n    ecosystems: [npm]\n\nignore:\n  - id: CVE-2021-23337\n    package: lodash\n    reason: \"not reachable via our import path\"\n    expires: 2026-12-31\n```\n\n\u003c/details\u003e\n\n| Exit code | Meaning |\n|---|---|\n| `0` | Clean — no findings above threshold |\n| `1` | Findings at or above `--fail-on` threshold |\n| `2` | Scan error |\n\n---\n\n## Plugin system\n\ndepfence discovers plugins via pip entry points, `DEPFENCE_PLUGIN_PATH`, or `~/.depfence/plugins/`.\n\n```python\nfrom depfence.core.models import Finding, PackageMeta, Severity\n\nclass MyScanner:\n    name = \"my_scanner\"\n    ecosystems = [\"npm\", \"pypi\"]\n\n    async def scan(self, packages: list[PackageMeta]) -\u003e list[Finding]:\n        # Your detection logic here\n        return []\n```\n\n```bash\ndepfence plugins   # list all loaded scanners\n```\n\n---\n\n## Install\n\n```bash\npip install depfence                  # stable\npip install \"depfence[ml]\"            # with scikit-learn behavioral scoring\npipx run depfence scan .              # no install\n```\n\nPython 3.10+. Tested on 3.10, 3.11, 3.12, 3.13.\n\n---\n\n## Contributing\n\n```bash\ngit clone https://github.com/ericrihm/depfence\ncd depfence\npython -m venv .venv \u0026\u0026 source .venv/bin/activate\npip install -e \".[dev]\"\npytest\n```\n\nRun `ruff check` and `mypy` before opening a PR.\n\n---\n\nMIT License. See [LICENSE](LICENSE).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericrihm%2Fdepfence","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fericrihm%2Fdepfence","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fericrihm%2Fdepfence/lists"}