depenemy 0.1.0__tar.gz

depenemy-0.1.0/.depenemy.yml

@@ -0,0 +1,43 @@
+# depenemy configuration
+# All thresholds are configurable. Set a rule to false to disable it.
+
+thresholds:
+  min_weekly_downloads: 1000
+  min_total_downloads: 10000
+  min_author_account_age_days: 365
+  min_package_age_days: 180
+  max_stale_days: 730
+  min_contributors: 5
+  max_version_lag: 10           # how many minor versions behind is too old
+  typosquatting_distance: 1     # max edit distance to flag as typosquatting
+
+rules:
+  B001: warning  # range specifier (^, ~, >=, *) - hygiene
+  B002: error    # no version pinned - active risk
+  B003: warning  # lagging version - hygiene, CVEs caught by R007
+  R001: warning  # young author account - signal, not proof
+  R002: warning  # young package - signal, not proof
+  R003: warning  # low weekly downloads - signal
+  R004: warning  # low total downloads - signal
+  R005: warning  # stale package - maintenance issue, not active threat
+  R006: warning  # few contributors - signal
+  R007: error    # target version below known security patch - active threat
+  R008: warning  # deprecated - should migrate, not urgent
+  R009: warning  # typosquatting suspected - signal
+  S001: error    # install scripts present - executes code on install
+  S002: warning  # no source repository linked - hygiene
+  S003: warning  # source repository archived - maintenance issue
+  S004: warning  # dependency confusion - signal
+  S005: error    # known malicious package history in OSV - active threat
+
+# Packages to ignore (with reason)
+ignore: []
+# ignore:
+#   - name: my-internal-package
+#     ecosystem: npm
+#     reason: "internal fork, not on public registry"
+
+# Ecosystems to scan (default: all detected)
+# ecosystems:
+#   - npm
+#   - pypi

depenemy-0.1.0/.github/workflows/ci.yml

@@ -0,0 +1,75 @@
+name: CI
+
+on:
+  push:
+    branches: [main, develop]
+  pull_request:
+    branches: [main]
+
+jobs:
+  test:
+    name: Test (Python ${{ matrix.python-version }})
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        python-version: ["3.11", "3.12"]
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@v5
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          pip install -e ".[dev]"
+
+      - name: Lint with ruff
+        run: ruff check .
+
+      - name: Type check with mypy
+        run: mypy depenemy
+
+      - name: Run tests
+        run: pytest --cov=depenemy --cov-report=xml
+
+      - name: Upload coverage
+        uses: codecov/codecov-action@v4
+        if: matrix.python-version == '3.11'
+        with:
+          file: ./coverage.xml
+
+  self-scan:
+    name: Self-scan (depenemy scans itself)
+    runs-on: ubuntu-latest
+    needs: test
+    permissions:
+      contents: read
+      security-events: write
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install depenemy
+        run: pip install -e .
+
+      - name: Run depenemy on this repo
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          depenemy scan . --output sarif --output-file depenemy.sarif --fail-on error || true
+
+      - name: Upload SARIF
+        uses: github/codeql-action/upload-sarif@v4
+        if: always()
+        continue-on-error: true
+        with:
+          sarif_file: depenemy.sarif
+          category: depenemy-self-scan

depenemy-0.1.0/.github/workflows/publish.yml

@@ -0,0 +1,30 @@
+name: Publish to PyPI
+
+on:
+  release:
+    types: [published]
+
+jobs:
+  publish:
+    name: Publish to PyPI
+    runs-on: ubuntu-latest
+    environment: pypi
+    permissions:
+      id-token: write  # Required for trusted publishing
+
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install build tools
+        run: pip install hatchling build
+
+      - name: Build package
+        run: python -m build
+
+      - name: Publish to PyPI
+        uses: pypa/gh-action-pypi-publish@release/v1

depenemy-0.1.0/.gitignore

@@ -0,0 +1,58 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.so
+.Python
+build/
+dist/
+eggs/
+.eggs/
+lib/
+lib64/
+parts/
+sdist/
+var/
+wheels/
+*.egg-info/
+.installed.cfg
+*.egg
+MANIFEST
+.venv/
+venv/
+ENV/
+env/
+
+# Testing
+.tox/
+.nox/
+.coverage
+.coverage.*
+coverage.xml
+htmlcov/
+.pytest_cache/
+.mypy_cache/
+
+# IDEs
+.idea/
+.vscode/
+*.swp
+*.swo
+
+# OS
+.DS_Store
+Thumbs.db
+
+# depenemy output
+.depenemy_cache/
+depenemy-results.json
+
+# local demo
+demo/
+
+# Team coordination
+TODO.md
+
+# Secrets
+.env
+*.key

depenemy-0.1.0/.pre-commit-config.yaml

@@ -0,0 +1,11 @@
+repos:
+  - repo: https://github.com/W3OSC/depenemy
+    rev: v0.1.0
+    hooks:
+      - id: depenemy
+        name: depenemy dependency scan
+        language: python
+        entry: depenemy scan
+        args: [--fail-on, error]
+        pass_filenames: false
+        always_run: true

depenemy-0.1.0/CHANGELOG.md

@@ -0,0 +1,26 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+## [0.1.0] - 2026-04-09
+
+### Added
+- Initial release
+- npm and PyPI ecosystem support
+- Behavioral checks: range specifiers, unpinned versions, lagging versions
+- Reputation checks: author age, package age, download counts, contributors, staleness, known CVEs, deprecated packages, typosquatting
+- Supply chain checks: install scripts, missing source repo, archived repo, dependency confusion, known malicious packages
+- Deprecated package detection
+- OSV.dev integration for security advisories
+- SARIF 2.1.0 output (GitHub Code Scanning compatible)
+- Rich terminal table output
+- JSON output
+- Disk-backed caching
+- GitHub Action support
+- Pre-commit hook support
+- Configurable thresholds via `.depenemy.yml`

depenemy-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 W3OSC
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

depenemy-0.1.0/PKG-INFO

@@ -0,0 +1,268 @@
+Metadata-Version: 2.4
+Name: depenemy
+Version: 0.1.0
+Summary: Dependency scanner that finds your enemies in the supply chain
+Project-URL: Homepage, https://github.com/W3OSC/depenemy
+Project-URL: Repository, https://github.com/W3OSC/depenemy
+Project-URL: Issues, https://github.com/W3OSC/depenemy/issues
+Project-URL: Changelog, https://github.com/W3OSC/depenemy/blob/main/CHANGELOG.md
+Author-email: W3OSC <contact@w3osc.com>
+License: MIT License
+        
+        Copyright (c) 2026 W3OSC
+        
+        Permission is hereby granted, free of charge, to any person obtaining a copy
+        of this software and associated documentation files (the "Software"), to deal
+        in the Software without restriction, including without limitation the rights
+        to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+        copies of the Software, and to permit persons to whom the Software is
+        furnished to do so, subject to the following conditions:
+        
+        The above copyright notice and this permission notice shall be included in all
+        copies or substantial portions of the Software.
+        
+        THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+        IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+        FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+        AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+        LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+        OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+        SOFTWARE.
+License-File: LICENSE
+Keywords: dependencies,sarif,sbom,scanner,security,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Quality Assurance
+Requires-Python: >=3.9
+Requires-Dist: anyio>=4.4.0
+Requires-Dist: httpx>=0.27.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: tomli>=2.0.0; python_version < '3.11'
+Requires-Dist: typer>=0.12.0
+Provides-Extra: dev
+Requires-Dist: mypy>=1.10.0; extra == 'dev'
+Requires-Dist: pytest-asyncio>=0.23.0; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0.0; extra == 'dev'
+Requires-Dist: pytest>=8.0.0; extra == 'dev'
+Requires-Dist: respx>=0.21.0; extra == 'dev'
+Requires-Dist: ruff>=0.4.0; extra == 'dev'
+Requires-Dist: types-pyyaml>=6.0.0; extra == 'dev'
+Description-Content-Type: text/markdown
+
+<div align="center">
+
+<img src="assets/logos/logo.svg" alt="depenemy" width="380"/>
+
+**Your dependencies could be your enemy.**
+
+Depenemy scans your project for supply chain risks, behavioral issues, and reputation red flags - before they can do damage.
+
+[![CI](https://github.com/W3OSC/depenemy/actions/workflows/ci.yml/badge.svg)](https://github.com/W3OSC/depenemy/actions/workflows/ci.yml)
+[![PyPI](https://img.shields.io/pypi/v/depenemy)](https://pypi.org/project/depenemy/)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](LICENSE)
+
+</div>
+
+---
+
+## Why depenemy?
+
+Modern projects pull in hundreds of dependencies. Each one is a potential entry point for a supply chain attack - a compromised maintainer account, a typosquatted package, an old version with a known CVE, or a package that runs arbitrary code on install.
+
+Depenemy gives you **a single command** that audits all your dependencies across npm, Python, Rust, and Solidity - and tells you exactly what looks suspicious and why.
+
+---
+
+## What it detects
+
+### Behavioral risks
+
+| ID | Name | Description | Severity |
+|----|------|-------------|----------|
+| B001 | Range specifier | Version uses `^`, `~`, `>=`, `*` - allows unexpected updates | Warning |
+| B002 | No version pinned | No version specified at all | Error |
+| B003 | Lagging version | Pinned version is significantly behind latest | Warning |
+
+### Reputation signals
+
+| ID | Name | Description | Severity |
+|----|------|-------------|----------|
+| R001 | Young author account | Package author's GitHub account is < 12 months old | Warning |
+| R002 | New package | Package was first published < 6 months ago | Warning |
+| R003 | Low weekly downloads | < 1,000 weekly downloads | Warning |
+| R004 | Low total downloads | < 10,000 total downloads | Warning |
+| R005 | No updates in 2+ years | Last publish was over 2 years ago | Warning |
+| R006 | Few contributors | Fewer than 5 contributors on GitHub | Warning |
+| R007 | Known vulnerable version | Your version is below a known security patch (OSV/CVE) | Error |
+| R008 | Deprecated package | Package is officially marked as deprecated | Warning |
+| R009 | Typosquatting suspected | Name is suspiciously close to a popular package | Warning |
+
+### Supply chain risks
+
+| ID | Name | Description | Severity |
+|----|------|-------------|----------|
+| S001 | Install scripts | Package runs code at install time (`postinstall`, `preinstall`) | Error |
+| S002 | No source repository | No GitHub/GitLab link in package metadata | Warning |
+| S003 | Archived repository | Source repo has been archived or deleted | Warning |
+| S004 | Dependency confusion | Private package name found on public registry | Warning |
+| S005 | Known malicious package | Package has a recorded history of malicious activity (OSV) | Error |
+
+---
+
+## Supported ecosystems
+
+| Ecosystem | Manifest files |
+|-----------|----------------|
+| **npm / Node.js** | `package.json`, `package-lock.json`, `yarn.lock` |
+| **Python** | `requirements*.txt`, `pyproject.toml`, `Pipfile` |
+| **Rust** | `Cargo.toml` |
+| **Solidity** | Foundry / Hardhat (delegates to npm) |
+
+---
+
+## Installation
+
+```bash
+pip install depenemy
+```
+
+---
+
+## Usage
+
+### CLI
+
+```bash
+# Scan your project
+depenemy scan .
+
+# Scan a specific file
+depenemy scan pyproject.toml
+
+# Output as SARIF (for GitHub Code Scanning)
+depenemy scan . --output sarif --output-file results.sarif
+
+# Output as JSON to a custom filename (table scan always writes depenemy-results.json automatically)
+depenemy scan . --output json --output-file my-results.json
+
+# Pipe JSON output to another tool
+depenemy scan . --output json | jq '.findings'
+
+# Fail the command if any warnings exist (useful in CI)
+depenemy scan . --fail-on warning
+
+# List all available rules
+depenemy rules
+```
+
+**Example output:**
+<img width="1070" height="711" alt="image" src="https://github.com/user-attachments/assets/96d22774-9649-4b2e-ba09-c3311df8ae3c" />
+
+
+---
+
+### GitHub Action
+
+Add to your workflow and results appear automatically as [Code Scanning alerts](https://docs.github.com/en/code-security/code-scanning) on every pull request:
+
+```yaml
+- name: Scan dependencies
+  uses: W3OSC/depenemy@v0.1.0
+  with:
+    token: ${{ secrets.GITHUB_TOKEN }}
+    fail-on: error
+```
+
+---
+
+### Pre-commit hook
+
+Block pushes that introduce risky dependencies. Add to `.pre-commit-config.yaml`:
+
+```yaml
+repos:
+  - repo: https://github.com/W3OSC/depenemy
+    rev: v0.1.0
+    hooks:
+      - id: depenemy
+```
+
+---
+
+## Configuration
+
+Create `.depenemy.yml` in your repository root to customize thresholds, severities, and ignore specific packages:
+
+```yaml
+thresholds:
+  min_weekly_downloads: 1000       # R003 threshold
+  min_total_downloads: 10000       # R004 threshold
+  min_author_account_age_days: 365 # R001 threshold
+  min_package_age_days: 180        # R002 threshold
+  max_stale_days: 730              # R005 threshold
+  min_contributors: 5              # R006 threshold
+  max_version_lag: 10              # B003 threshold (minor versions)
+  typosquatting_distance: 1        # R009 threshold (edit distance)
+
+rules:
+  B001: warning   # downgrade range specifier to warning
+  R003: false     # disable low downloads check entirely
+
+ignore:
+  - name: my-internal-package
+    ecosystem: npm
+    reason: "Internal fork, not on public registry"
+  - name: legacy-tool
+    ecosystem: pypi
+    reason: "Approved exception, tracked in JIRA-1234"
+```
+
+Set a rule to `false` to disable it entirely. All other rules accept `warning` or `error`.
+
+---
+
+## Output formats
+
+| Format | Flag | Best for |
+|--------|------|----------|
+| Table (default) | `--output table` | Terminal / CI logs |
+| SARIF | `--output sarif` | GitHub Code Scanning |
+| JSON | `--output json` | Custom integrations, dashboards |
+
+---
+
+## How it works
+
+<img width="619" height="813" alt="image" src="https://github.com/user-attachments/assets/07a028e4-5c1f-402e-804e-c9e63148d0aa" />
+
+API responses are cached for **6 hours** in `.depenemy_cache/` to avoid rate limits on repeated runs. Use `--no-cache` to force fresh data.
+
+---
+
+## GitHub Token
+
+A GitHub token unlocks author account age (R001) and contributor count (R006) checks. Without it, those rules are skipped.
+
+```bash
+# CLI
+depenemy scan . --github-token ghp_xxxx
+
+# Or via environment variable
+GITHUB_TOKEN=ghp_xxxx depenemy scan .
+```
+
+In GitHub Actions, `${{ secrets.GITHUB_TOKEN }}` is available automatically.
+
+---
+
+## License
+
+MIT - see [LICENSE](LICENSE)