Top 7 Python supply-chain Projects

• pip-audit

  22 920 8.8 Python

  Audits Python environments, requirements files and dependency trees for known security vulnerabilities, and can automatically fix them

  

Project mention: Smooth Packaging: Flowing from Source to PyPi with GitLab Pipelines | dev.to | 2024-01-18

Next up is making sure, none of the dependencies used throughout the project brings with it any already identified security issue. The makefile target audit, invokes the handy tool pip-audit.

• in-toto

  4 835 8.9 Python

  in-toto is a framework to protect supply chain integrity.

  

Project mention: UEFI Software Bill of Materials Proposal | news.ycombinator.com | 2023-11-14

The things you mentioned are not solved by a typical "SBOM" but e.g. CycloneDX has extra fields to record provenance and pedigree and things like in-toto (https://in-toto.io/) or SLSA (https://slsa.dev/) also aim to work in this field.

I've spent the last six months in this field and people will tell you that this or that is an industry best practice or "a standard" but in my experience none of that is true. Everyone is still trying to figure out how best to protect the software supply chain security and things are still very much in flux.

• InfluxDB

  www.influxdata.com featured

  Power Real-Time Data Analytics at Scale. Get real-time insights from all types of time series data with InfluxDB. Ingest, query, and analyze billions of data points in real-time with unbounded cardinality.

  

• packj

  38 616 7.2 Python

  Packj stops :zap: Solarwinds-, ESLint-, and PyTorch-like attacks by flagging malicious/vulnerable open-source dependencies ("weak links") in your software supply-chain

  

Project mention: Rust Without Crates.io | news.ycombinator.com | 2023-11-14

Creator of Packj [1] here. How do you envision sandboxing/security policies will be specified? Per-lib policies when you've hundreds of dependencies will become overwhelming. Having built an eBPF-based sandbox [2], I anticipate that accuracy will be another challenge here: too restrictive will block functionality, too permissive defeats the purpose.

1. https://github.com/ossillate-inc/packj flags malicious/risky NPM/PyPI/RubyGems/Rust/Maven/PHP packages by carrying out static+dynamic+metadata analysis.

• or-gym

  2 355 0.0 Python

  Environments for OR and RL Research

• sigstore-python

  4 212 9.3 Python

  A Sigstore client for Python

  

• chainjacking

  0 53 0.0 Python

  Find which of your direct GitHub dependencies is susceptible to RepoJacking attacks

  

• ochrona-cli

  2 52 0.6 Python

  A command line tool for detecting vulnerabilities in Python dependencies and doing safe package installs

• SaaSHub

  www.saashub.com featured

  SaaSHub - Software Alternatives and Reviews. SaaSHub helps you find the best software and product alternatives

  

Python supply-chain related posts

• UEFI Software Bill of Materials Proposal

  8 projects | news.ycombinator.com | 14 Nov 2023

• How Attackers Can Sneakily Slip Malware Packages Into Poetry.lock Files

  2 projects | /r/Python | 2 May 2023

• bomber - a vulnerability scanner for SBOMs

  2 projects | /r/netsec | 23 Aug 2022

• Freezing Requirements with Pip-Tools

  10 projects | news.ycombinator.com | 15 Jul 2022

• Gym like frameworks for combinatorial optimization on Graphs?

  2 projects | /r/reinforcementlearning | 15 Jun 2022

• Show HN: Seal – Verifiable timestamp for your private ideas

  4 projects | news.ycombinator.com | 5 Jun 2022

• pip-audit - a tool for scanning Python environments for packages with known vulnerabilities

  1 project | /r/bag_o_news | 5 Dec 2021
• A note from our sponsor - SaaSHub
  www.saashub.com | 10 May 2024

  SaaSHub helps you find the best software and product alternatives Learn more →

Index

Sponsored

SaaSHub - Software Alternatives and Reviews

SaaSHub helps you find the best software and product alternatives

www.saashub.com

Do not miss the trending Python projects with our weekly report!