packj VS cicd-goat

Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.

1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.

Cool project. How do you feel about projects like OpenSSF scorecards or even the checks that socket.dev do today on these packages to help determine risk?

https://github.com/ossillate-inc/packj/blob/main/.packj.yaml

Secondly, what about impersonation where attackers imitate a popular package and its respective metadata?

I built Packj [1] sandboxing for securing “pip/NPM install”. It uses strace for sandboxing and blocks access to sensitive files and limits traffic to known-good IP addresses.

1. https://github.com/ossillate-inc/packj

Great work! This provenance check is going to be very valuable for enforcing supply-chain security. We are working on adding support to check for provenance in Packj.

1. https://github.com/ossillate-inc/packj flags risky/malicious NPM/PyPI/Ruby dependencies

Cool project. Would love to integrate this in Packj [1] as one of the open-source SAST scanners. Will DM you.

1. https://github.com/ossillate-inc/packj flags malicious/risky open-source dependencies.

Very cool! I've built something similar, but for packages: https://github.com/ossillate-inc/packj Would love to talk.

Working on a marketplace (based on Packj [1]) to allow open-source developers to make money by selling "assured" software artifacts.

1. Packj https://github.com/ossillate-inc/packj flags malicious and other "risky" open-source dependencies in your software supply chain.

I’ve created Packj sandbox [1] for “safe installation” of PyPI/NPM/Rubygems packages

1. https://github.com/ossillate-inc/packj

It DOES NOT require a VM/Container; uses strace. It shows you a preview of file system changes that installation will make and can also block arbitrary network communication during installation (uses an allow-list).

Great to see a developer-friendly tool around OSV! Packj [1] uses OSV APIs to report vulnerable PyPI/NPM/Rubygems packages. Disclaimer: I built it.

1. https://github.com/ossillate-inc/packj flags malicious/risky packages.

In this blog post, we want to explore what happens if a development machine gets compromised, granting an attacker write access to source code repositories. To experience this first-hand, we're using CI/CD Goat, and one of the CTF challenges to play through the scenario of an attacker gaining access to sensitive data within build infrastructure.

CI/CD-Goat: https://github.com/cider-security-research/cicd-goat