SaaSHub helps you find the best software and product alternatives Learn more →
Top 7 Python supply-chain Projects
-
pip-audit
Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them
-
InfluxDB
Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.
-
packj
Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain
-
ochrona-cli
A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs
-
SaaSHub
SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives
Project mention: Smooth Packaging: Flowing from Source to PyPi with GitLab Pipelines | dev.to | 2024-01-18Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.
The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.
I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.
Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.
1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.
Python supply-chain related posts
-
UEFI Software Bill of Materials Proposal
-
How Attackers Can Sneakily Slip Malware Packages Into Poetry.lock Files
-
bomber - a vulnerability scanner for SBOMs
-
Freezing Requirements with Pip-Tools
-
Gym like frameworks for combinatorial optimization on Graphs?
-
Show HN: Seal – Verifiable timestamp for your private ideas
-
pip-audit - a tool for scanning Python environments for packages with known vulnerabilities
-
A note from our sponsor - SaaSHub
www.saashub.com | 10 May 2024
Index
What are some of the best open-source supply-chain projects in Python? This list will help you:
Project | Stars | |
---|---|---|
1 | pip-audit | 920 |
2 | in-toto | 835 |
3 | packj | 616 |
4 | or-gym | 355 |
5 | sigstore-python | 212 |
6 | chainjacking | 53 |
7 | ochrona-cli | 52 |
Sponsored