gate-cli 0.1.0__tar.gz

gate_cli-0.1.0/.gitignore

@@ -0,0 +1,10 @@
+__pycache__/
+*.py[cod]
+*.egg-info/
+dist/
+build/
+.eggs/
+.pytest_cache/
+.ruff_cache/
+*.egg
+MANIFEST

gate_cli-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Mika
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

gate_cli-0.1.0/PKG-INFO

@@ -0,0 +1,149 @@
+Metadata-Version: 2.4
+Name: gate-cli
+Version: 0.1.0
+Summary: Supply chain security scanner for npm and pip packages
+Project-URL: Homepage, https://github.com/Mhacker1020/gate
+Project-URL: Repository, https://github.com/Mhacker1020/gate
+Project-URL: Issues, https://github.com/Mhacker1020/gate/issues
+License: MIT
+License-File: LICENSE
+Keywords: cve,npm,pip,sbom,security,supply-chain
+Classifier: Development Status :: 3 - Alpha
+Classifier: Environment :: Console
+Classifier: Intended Audience :: Developers
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.12
+Provides-Extra: dev
+Requires-Dist: pytest; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# gate
+
+Supply chain security scanner for npm and pip packages.
+
+Checks packages for known CVEs, quarantines newly published versions, and warns about suspicious install scripts — before they hit your project.
+
+```
+  ✓ flask 3.1.1
+  ✗ requests 2.28.0
+    CVE-2023-32681: Unintended leak of Proxy-Authorization header
+  ⚠ urllib3 2.3.0
+    Published 2 day(s) ago (quarantine window: 7 days)
+```
+
+## Why
+
+Supply chain attacks increasingly target the window between a package being published and being detected as malicious. Existing tools (Trivy, Snyk, Dependabot) catch *known* CVEs but miss:
+
+- Newly published malicious versions not yet in any database
+- Install scripts that run arbitrary code on `pip install`
+
+Gate adds a quarantine window — new versions are flagged until the community has had time to catch problems.
+
+**Zero runtime dependencies.** A supply chain security tool that trusts its own supply chain is not a security tool.
+
+## Checks
+
+| Check | What it catches |
+|-------|----------------|
+| CVE scan | Known vulnerabilities via OSV.dev |
+| Quarantine window | Versions published within N days |
+| Install scripts | npm packages running suspicious install hooks |
+| Hash verification | Detects tampered packages via lock file integrity checks |
+| Maintainer change | Flags when a package owner has changed between versions |
+| SBOM export | Generates a CycloneDX 1.6 Software Bill of Materials |
+
+## Installation
+
+```bash
+pip install gate-cli
+```
+
+Requires Python 3.12+.
+
+## Usage
+
+### Check a single package
+
+```bash
+gate check requests
+gate check requests==2.28.0
+gate check lodash --npm
+gate check lodash==4.17.15 --npm
+```
+
+### Scan all packages in a project
+
+Automatically detects `requirements.txt` or `package-lock.json`:
+
+```bash
+gate scan
+```
+
+Exit code is non-zero if errors are found — suitable for CI pipelines.
+
+### Export a CycloneDX SBOM
+
+```bash
+gate scan --sbom                  # print to stdout
+gate scan --sbom report.cdx.json  # write to file
+```
+
+### Install as a git pre-commit hook
+
+```bash
+gate init
+```
+
+Gate will run automatically on every `git commit` when lock files change. To remove:
+
+```bash
+gate uninstall
+```
+
+## Configuration
+
+Create `.gate.toml` in your project root to override defaults:
+
+```toml
+quarantine_days = 14
+
+fail_on = ["critical_cve", "install_script"]
+warn_on = ["recent_release"]
+```
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `quarantine_days` | `7` | Days a new release must age before passing |
+| `fail_on` | `["critical_cve", "install_script"]` | Conditions that block the commit / exit 1 |
+| `warn_on` | `["recent_release"]` | Conditions that warn but allow through |
+
+Move `recent_release` from `warn_on` to `fail_on` to enforce the quarantine window strictly.
+
+## Supported ecosystems
+
+| Ecosystem | Lock file | Registry |
+|-----------|-----------|----------|
+| PyPI | `requirements.txt` | pypi.org |
+| npm | `package-lock.json` | registry.npmjs.org |
+
+CVE data is sourced from [OSV.dev](https://osv.dev) — Google's open vulnerability database.
+
+## Contributing
+
+Gate is open source and built for the community. Contributions welcome.
+
+```bash
+git clone https://github.com/Mhacker1020/gate
+cd gate
+pip install -e ".[dev]"
+python -m pytest
+```
+
+## License
+
+MIT

gate_cli-0.1.0/README.md

@@ -0,0 +1,126 @@
+# gate
+
+Supply chain security scanner for npm and pip packages.
+
+Checks packages for known CVEs, quarantines newly published versions, and warns about suspicious install scripts — before they hit your project.
+
+```
+  ✓ flask 3.1.1
+  ✗ requests 2.28.0
+    CVE-2023-32681: Unintended leak of Proxy-Authorization header
+  ⚠ urllib3 2.3.0
+    Published 2 day(s) ago (quarantine window: 7 days)
+```
+
+## Why
+
+Supply chain attacks increasingly target the window between a package being published and being detected as malicious. Existing tools (Trivy, Snyk, Dependabot) catch *known* CVEs but miss:
+
+- Newly published malicious versions not yet in any database
+- Install scripts that run arbitrary code on `pip install`
+
+Gate adds a quarantine window — new versions are flagged until the community has had time to catch problems.
+
+**Zero runtime dependencies.** A supply chain security tool that trusts its own supply chain is not a security tool.
+
+## Checks
+
+| Check | What it catches |
+|-------|----------------|
+| CVE scan | Known vulnerabilities via OSV.dev |
+| Quarantine window | Versions published within N days |
+| Install scripts | npm packages running suspicious install hooks |
+| Hash verification | Detects tampered packages via lock file integrity checks |
+| Maintainer change | Flags when a package owner has changed between versions |
+| SBOM export | Generates a CycloneDX 1.6 Software Bill of Materials |
+
+## Installation
+
+```bash
+pip install gate-cli
+```
+
+Requires Python 3.12+.
+
+## Usage
+
+### Check a single package
+
+```bash
+gate check requests
+gate check requests==2.28.0
+gate check lodash --npm
+gate check lodash==4.17.15 --npm
+```
+
+### Scan all packages in a project
+
+Automatically detects `requirements.txt` or `package-lock.json`:
+
+```bash
+gate scan
+```
+
+Exit code is non-zero if errors are found — suitable for CI pipelines.
+
+### Export a CycloneDX SBOM
+
+```bash
+gate scan --sbom                  # print to stdout
+gate scan --sbom report.cdx.json  # write to file
+```
+
+### Install as a git pre-commit hook
+
+```bash
+gate init
+```
+
+Gate will run automatically on every `git commit` when lock files change. To remove:
+
+```bash
+gate uninstall
+```
+
+## Configuration
+
+Create `.gate.toml` in your project root to override defaults:
+
+```toml
+quarantine_days = 14
+
+fail_on = ["critical_cve", "install_script"]
+warn_on = ["recent_release"]
+```
+
+| Option | Default | Description |
+|--------|---------|-------------|
+| `quarantine_days` | `7` | Days a new release must age before passing |
+| `fail_on` | `["critical_cve", "install_script"]` | Conditions that block the commit / exit 1 |
+| `warn_on` | `["recent_release"]` | Conditions that warn but allow through |
+
+Move `recent_release` from `warn_on` to `fail_on` to enforce the quarantine window strictly.
+
+## Supported ecosystems
+
+| Ecosystem | Lock file | Registry |
+|-----------|-----------|----------|
+| PyPI | `requirements.txt` | pypi.org |
+| npm | `package-lock.json` | registry.npmjs.org |
+
+CVE data is sourced from [OSV.dev](https://osv.dev) — Google's open vulnerability database.
+
+## Contributing
+
+Gate is open source and built for the community. Contributions welcome.
+
+```bash
+git clone https://github.com/Mhacker1020/gate
+cd gate
+pip install -e ".[dev]"
+python -m pytest
+```
+
+## License
+
+MIT

gate_cli-0.1.0/pyproject.toml

@@ -0,0 +1,36 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "gate-cli"
+version = "0.1.0"
+description = "Supply chain security scanner for npm and pip packages"
+readme = "README.md"
+requires-python = ">=3.12"
+license = { text = "MIT" }
+keywords = ["security", "supply-chain", "npm", "pip", "cve", "sbom"]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Environment :: Console",
+    "Intended Audience :: Developers",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+
+[project.urls]
+Homepage = "https://github.com/Mhacker1020/gate"
+Repository = "https://github.com/Mhacker1020/gate"
+Issues = "https://github.com/Mhacker1020/gate/issues"
+
+[project.optional-dependencies]
+dev = ["pytest"]
+
+[project.scripts]
+gate = "gate.cli:main"
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/gate"]

gate_cli-0.1.0/src/gate/__init__.py

@@ -0,0 +1 @@
+__version__ = "0.1.0"

gate_cli-0.1.0/src/gate/checks/cve.py

@@ -0,0 +1,42 @@
+import json
+import urllib.request
+import urllib.error
+
+OSV_API = "https://api.osv.dev/v1/query"
+
+
+def check_cve(name: str, version: str, ecosystem: str) -> list[dict]:
+    payload = json.dumps({
+        "package": {"name": name, "ecosystem": ecosystem},
+        "version": version,
+    }).encode()
+
+    req = urllib.request.Request(
+        OSV_API,
+        data=payload,
+        headers={"Content-Type": "application/json"},
+        method="POST",
+    )
+
+    try:
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            data = json.loads(resp.read())
+    except Exception:
+        return []
+
+    seen: set[str] = set()
+    vulns = []
+    for vuln in data.get("vulns", []):
+        cve_id = next(
+            (a for a in vuln.get("aliases", []) if a.startswith("CVE-")),
+            vuln.get("id", ""),
+        )
+        if cve_id in seen:
+            continue
+        seen.add(cve_id)
+        vulns.append({
+            "id": cve_id,
+            "summary": vuln.get("summary", "No description"),
+        })
+
+    return vulns

gate_cli-0.1.0/src/gate/checks/integrity.py

@@ -0,0 +1,59 @@
+def check_integrity(local: str, remote: str) -> dict:
+    """
+    Compare a locally stored integrity hash against the value from the registry.
+
+    Both values are expected in standard format:
+      npm:  "sha512-<base64>"
+      PyPI: "sha256:<hex>"
+    """
+    if not local or not remote:
+        return {"ok": True, "skipped": True, "message": "No hash to compare"}
+
+    match = local.strip() == remote.strip()
+    return {
+        "ok": match,
+        "skipped": False,
+        "local": local,
+        "remote": remote,
+        "message": None if match else "Hash mismatch — package may have been tampered with",
+    }
+
+
+def parse_requirements_hashes(path) -> dict[str, dict[str, str]]:
+    """
+    Parse hashes from a requirements.txt file that was generated with
+    pip-compile --generate-hashes or pip install --require-hashes.
+
+    Returns: {package_name_lower: {version: "sha256:<hex>"}}
+
+    Example line:
+        requests==2.28.0 \\
+            --hash=sha256:ae72a32d...
+    """
+    import re
+    from pathlib import Path
+
+    text = Path(path).read_text(encoding="utf-8")
+    # Join continuation lines
+    text = re.sub(r"\\\n\s*", " ", text)
+
+    result: dict[str, dict[str, str]] = {}
+    for line in text.splitlines():
+        line = line.strip()
+        if not line or line.startswith("#"):
+            continue
+        if "==" not in line:
+            continue
+
+        # Extract name==version
+        spec_part = line.split()[0]
+        name, version = spec_part.split("==", 1)
+        name = name.strip().lower()
+        version = version.strip()
+
+        # Extract first sha256 hash
+        match = re.search(r"--hash=sha256:([a-f0-9]+)", line)
+        if match:
+            result.setdefault(name, {})[version] = f"sha256:{match.group(1)}"
+
+    return result

gate_cli-0.1.0/src/gate/checks/maintainer.py

@@ -0,0 +1,32 @@
+def check_maintainer_change(
+    current: list[str],
+    previous: list[str],
+) -> dict:
+    """
+    Compare maintainer lists between two versions.
+    Returns a dict describing any changes found.
+    """
+    current_set = set(current)
+    previous_set = set(previous)
+
+    added = current_set - previous_set
+    removed = previous_set - current_set
+
+    if not added and not removed:
+        return {"ok": True, "added": [], "removed": []}
+
+    return {
+        "ok": False,
+        "added": sorted(added),
+        "removed": sorted(removed),
+        "message": _format_message(added, removed),
+    }
+
+
+def _format_message(added: set[str], removed: set[str]) -> str:
+    parts = []
+    if added:
+        parts.append(f"new maintainer(s): {', '.join(sorted(added))}")
+    if removed:
+        parts.append(f"removed maintainer(s): {', '.join(sorted(removed))}")
+    return "; ".join(parts)

gate_cli-0.1.0/src/gate/checks/quarantine.py

@@ -0,0 +1,18 @@
+from datetime import datetime, timezone
+
+
+def check_quarantine(published: datetime | None, quarantine_days: int = 7) -> dict:
+    if published is None:
+        return {"ok": True, "days_old": None, "message": None}
+
+    now = datetime.now(timezone.utc)
+    days_old = (now - published).days
+
+    if days_old < quarantine_days:
+        return {
+            "ok": False,
+            "days_old": days_old,
+            "message": f"Published {days_old} day(s) ago (quarantine window: {quarantine_days} days)",
+        }
+
+    return {"ok": True, "days_old": days_old, "message": None}

gate_cli-0.1.0/src/gate/checks/scripts.py

@@ -0,0 +1,51 @@
+import re
+
+# Patterns that indicate a script is doing something suspicious
+_SUSPICIOUS: list[tuple[str, str]] = [
+    (r"\bcurl\b",           "network fetch (curl)"),
+    (r"\bwget\b",           "network fetch (wget)"),
+    (r"\bfetch\b",          "network fetch (fetch)"),
+    (r"\bbase64\b",         "base64 encoding"),
+    (r"atob\s*\(",          "base64 decode (atob)"),
+    (r"Buffer\.from\b",     "binary decoding (Buffer.from)"),
+    (r"\beval\s*\(",        "eval execution"),
+    (r"Function\s*\(",      "dynamic code execution (Function)"),
+    (r"\bexec\s*\(",        "shell execution (exec)"),
+    (r"\bspawn\s*\(",       "shell execution (spawn)"),
+    (r"\bchild_process\b",  "child process usage"),
+    (r"https?://",          "hardcoded URL"),
+    (r"\b(?:\d{1,3}\.){3}\d{1,3}\b", "hardcoded IP address"),
+    (r"\bpowershell\b",     "PowerShell execution"),
+    (r"\bchmod\b",          "permission change"),
+    (r"process\.env\b",     "environment variable access"),
+]
+
+
+def analyze_script(script: str) -> list[str]:
+    """Return a list of suspicious pattern descriptions found in the script."""
+    found = []
+    for pattern, description in _SUSPICIOUS:
+        if re.search(pattern, script, re.IGNORECASE):
+            found.append(description)
+    return found
+
+
+def check_install_scripts(install_scripts: dict[str, str]) -> dict:
+    """
+    Analyze install scripts for suspicious patterns.
+    Returns a dict with 'ok', 'findings' (per script), and 'suspicious' flag.
+    """
+    if not install_scripts:
+        return {"ok": True, "findings": {}}
+
+    findings: dict[str, list[str]] = {}
+    for script_name, script_body in install_scripts.items():
+        patterns = analyze_script(script_body)
+        if patterns:
+            findings[script_name] = patterns
+
+    return {
+        "ok": len(findings) == 0,
+        "findings": findings,
+        "raw": install_scripts,
+    }