security-wg
secimport
| security-wg | secimport | |
|---|---|---|
| 6 | 14 | |
| 482 | 157 | |
| 1.0% | - | |
| 8.9 | 6.5 | |
| 6 days ago | 2 months ago | |
| JavaScript | Python | |
| MIT License | MIT License |
Stars - the number of stars that a project has on GitHub. Growth - month over month growth in stars.
Activity is a relative number indicating how actively a project is being developed. Recent commits have higher weight than older ones.
For example, an activity of 9.0 indicates that a project is amongst the top 10% of the most actively developed projects that we are tracking.
security-wg
-
Securizing your GitHub org
As I was working on an open source security project, I put pressure on myself to be ready. Also as a member of the Node.js Security WG I thought it was an interesting topic and that I was probably not the only one who was worried about not being up to the task 😖.
-
You should use the OpenSSF Scorecard
We began the discussion in this issue, and here you can find the meeting notes:
-
Dozens of malicious PyPI packages discovered targeting developers
Node.js is building something very similar: Permission Model https://github.com/nodejs/security-wg/issues/791
-
Announcing NodeSecure Vulnera
deprecated Node.js Security WG Database
- NodeSecure - What's new in 2022 ?
-
Make your JavaScript project safer by using this workflow
Node.js Security Working Group
secimport
-
Securing PyTorch Models with eBPF
In this blog, I will present secimport — a toolkit for creating and running sandboxed applications in Python that utilizes eBPF (bpftrace) to secure Python runtimes.
- I created a python seccomp sandbox, but per-module in your code.
- GitHub - avilum/secimport: Python sandbox toolkit, powered by eBPF and Dtrace
- GitHub - avilum/secimport: Python sandbox toolkit, powered by eBPF / Dtrace
- GitHub - avilum/secimport: seccomp Python sandbox, powered by eBPF and Dtrace
-
Dozens of malicious PyPI packages discovered targeting developers
There is also this, although I haven't tested it yet. The approach is interesting though. https://github.com/avilum/secimport
- GitHub - avilum/secimport: Secure imports for python modules using dtrace
-
Tracing/Sandboxing python modules upon import (like SECCOMP for the interpreter)
Code: https://github.com/avilum/secimport Article (No login required): https://infosecwriteups.com/sandboxing-python-modules-in-your-code-1e590d71fc26?source=friends_link&sk=5e9a2fa4d4921af0ec94f175f7ee49f9
- seccomp for Python import statements: sandbox python modules using dtrace (cross platform)
What are some alternatives?
cargo-vet - supply-chain security for Rust
birdcage - Cross-platform embeddable sandboxing
scorecard - OpenSSF Scorecard - Security health metrics for Open Source
W4SP-Stealer - w4sp Stealer official source code, one of the best python stealer on the web [GET https://api.github.com/repos/loTus04/W4SP-Stealer: 403 - Repository access blocked]
cli - Command line interface for the Phylum API
ci - NodeSecure tool enabling secured continuous integration
autobox - A set of tools and libraries for automatically generating and initiating sandboxes for Rust programs
scanner - ⚡️ A package API to run a static analysis of your module's dependencies. This is the CLI engine!
Contents - Community documentation, code, links to third-party resources, ... See the issues and pull requests for pending content. Contributions are welcome !
crev - Socially scalable Code REView and recommendation system that we desperately need. See http://github.com/crev-dev/cargo-crev for real implemenation.