{"id":30117010,"url":"https://github.com/livrasand/pipq","last_synced_at":"2025-08-10T10:35:38.422Z","repository":{"id":308252150,"uuid":"1032163142","full_name":"livrasand/pipq","owner":"livrasand","description":"safely install pip packages by auditing them pre-install stage","archived":false,"fork":false,"pushed_at":"2025-08-04T23:55:52.000Z","size":56,"stargazers_count":0,"open_issues_count":0,"forks_count":0,"subscribers_count":0,"default_branch":"main","last_synced_at":"2025-08-05T00:47:08.310Z","etag":null,"topics":["appsec","command-line-tool","package-manager","pip","pipq","pypi","pypipq","python","security","security-audit","security-tools","vulnerabilities","vulnerability-scanners"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"gpl-3.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/livrasand.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null}},"created_at":"2025-08-04T23:04:10.000Z","updated_at":"2025-08-04T23:56:40.000Z","dependencies_parsed_at":"2025-08-05T00:47:09.415Z","dependency_job_id":"675c5747-4142-42f5-95b6-fe1d25d17075","html_url":"https://github.com/livrasand/pipq","commit_stats":null,"previous_names":["livrasand/pipq"],"tags_count":null,"template":false,"template_full_name":null,"purl":"pkg:github/livrasand/pipq","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/livrasand%2Fpipq","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/livrasand%2Fpipq/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/livrasand%2Fpipq/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/livrasand%2Fpipq/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/livrasand","download_url":"https://codeload.github.com/livrasand/pipq/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/livrasand%2Fpipq/sbom","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":269712095,"owners_count":24463206,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-08-10T02:00:08.965Z","response_time":71,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["appsec","command-line-tool","package-manager","pip","pipq","pypi","pypipq","python","security","security-audit","security-tools","vulnerabilities","vulnerability-scanners"],"created_at":"2025-08-10T10:35:37.958Z","updated_at":"2025-08-10T10:35:38.407Z","avatar_url":"https://github.com/livrasand.png","language":"Python","funding_links":[],"categories":[],"sub_categories":[],"readme":"# pipq\n\nA secure pip proxy that analyzes Python packages before installation to detect potential security issues and risks.\n\n![PyPI](https://img.shields.io/pypi/v/pypipq) [![PyPI Downloads](https://static.pepy.tech/badge/pypipq)](https://pepy.tech/projects/pypipq) \n\n## Overview\n\npipq is a command-line tool that acts as a security layer between you and pip. It intercepts package installation requests, analyzes packages for potential security threats, and provides warnings or blocks installation based on configurable security policies.\n\n## Installation\n\n```bash\npip install pypipq\n````\n\n## Usage\n\nReplace `pip install` with `pipq install`:\n\n```bash\n# Basic usage\npipq install numpy pandas\n\n# Check package without installing\npipq check potentially-malicious-package\n\n# Force installation (skip validation)\npipq install --force some-package\n\n# Silent mode (no prompts)\npipq install --silent package-name\n```\n\n## Key Functionality\n\n### Implemented and Operational\n\n#### Package Analysis\n\n* **Typosquatting Detection**: Identifies packages with names similar to popular packages that might be masquerading as legitimate libraries\n* **Package Age Validation**: Flags packages that are suspiciously new (potential supply chain attacks) or very old without updates (potential abandonment)\n* **Maintainer Analysis**: Detects packages maintained by a single individual, indicating higher risk of abandonment\n* **License Validation**: Detects missing or problematic licenses\n* **Integrity Validation**: Verifies secure URLs and presence of hashes (SHA256/MD5)\n* **Vulnerability Validator**: Checks for known vulnerabilities using the OSV (Open Source Vulnerabilities) database with local caching.\n* **Malware Detection (Metadata)**: Scans package URLs and hashes against VirusTotal and Hybrid Analysis to detect potential malware without downloading the package.\n* **Malware Detection (Sandbox)**: Downloads packages to an isolated sandbox environment and scans them for malware using the VirusTotal API.\n\n#### User Experience\n\n* Rich terminal interface with colored output and progress indicators\n* Interactive prompts for security decisions\n* Multiple operation modes: silent, warn, or block\n* Comprehensive configuration system via TOML files and environment variables\n\n### Partially Implemented\n\n* **Vulnerability scanning**: While OSV integration is functional, planned integrations with Safety DB and the Python Advisory Database are not yet implemented.\n\n## Configuration\n\nCreate `~/.config/pipq/config.toml`:\n\n```toml\nmode = \"warn\"                    # silent, warn, or block\nauto_continue_warnings = true\ndisable_validators = []\ntimeout = 30\n```\n\nOr use environment variables:\n\n```bash\nexport PIPQ_MODE=block\nexport PIPQ_DISABLE_VALIDATORS=age,maintainer\n\n# API keys for MalwareValidator\nexport VIRUSTOTAL_API_KEY=\"your_virustotal_api_key\"\n```\n\n### Getting a VirusTotal API Key\n\nTo use the malware scanning features, you need a free VirusTotal API key. Here's how to get one:\n\n1.  **Create a free account** on the [VirusTotal website](https://www.virustotal.com/gui/join-us).\n2.  **Sign in** to your account.\n3.  Click on your **username** in the top right corner and select **API Key**.\n4.  Copy your API key and set it as an environment variable:\n\n    ```bash\n    export VIRUSTOTAL_API_KEY=\"your_new_api_key\"\n    ```\n\n## Installation Workflow\n\n```bash\npipq install requests           # Analyze and install if safe\npipq check suspicious-package   # Analyze without installing\npipq install --force package    # Skip analysis entirely\n```\n\n## Architecture\n\npipq uses a modular validator system where each security check is implemented as an independent validator that inherits from `BaseValidator`. This allows for easy extension and customization of security policies.\n\n## Current Limitations\n\n* **No code analysis**: Does not inspect actual package source code\n* **No malware detection**: Cannot detect malicious code within packages\n* **Metadata-only analysis**: Relies solely on PyPI metadata for validation\n\n## Planned Features\n\n### Enhanced Security Validation\n\n* Integration with vulnerability databases (OSV, Safety DB, Python Advisory Database)\n* Static code analysis for suspicious patterns in setup.py and package code\n* Malware detection using known malicious code signatures\n* Dependency chain analysis for deep dependency risks\n\n### Advanced Analysis\n\n* Package integrity verification using cryptographic signatures\n* Repository activity analysis (GitHub stars, commit frequency, contributor count)\n* License compatibility checking\n* Download statistics and popularity metrics validation\n\n### Improved User Experience\n\n* Caching system for package metadata to improve performance\n* Integration with virtual environments and requirements.txt files\n* Detailed reporting and audit trails\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flivrasand%2Fpipq","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Flivrasand%2Fpipq","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Flivrasand%2Fpipq/lists"}