Audit Tools

Some simple tooling to help automate a security audit for pip and PyPI. Right now this just contains a wrapper called pip_audit.py that uses pip to download a non-binary version of a package, crack open the archive and run the plugins against it. The resulting reports (along with the source and wheel) are stored in a local_files directory inside this codebase. By default there is no stdout, this is meant to be run in an automation orchestation. But if you are just trying it out on the CLI the verbose flag, -v, must be supplies to see what it is doing.

The scanners, currently just Bandit and Detect Secrets, are run as plugins(YAPSY) in the plugin directory. More are planned.

Currently Pre 0.1 release. No API's are stable!

The task runner is Python Invoke instead of the Makefile I usually provide.

The code formatter is Black (if contributing run this before requesting a pull).

Testing framework is PyTest.

The Python version is Python 3.7.3

Built and "tested" on Linux, KDE Neon latest stable.

Usage

Usage: pip_audit.py [OPTIONS]

Options:
  -p, --package TEXT  The PyPI package to audit
  -o, --output TEXT   The directory to unarchive into.
  -v, --verbose       Show more information.
  -d, --debug         Internal data information.
  -j, --json          Run scanners with JSON output.  Disables verbose.
  -i, --input TEXT    Input list file, in json format, of packages to scan.
  -s, --save_files    CAUTION! Don't clean up the pip downloads and extracted archive files.  Careful, the whole PyPI archive has over 2 million files
  --help              Show this message and exit.

Audit a single package:

./pip_audit.py -v -p urllib3

You'll get some files in a directory off the source code root call local_files, these are the reports from the various plugins.

Audit a JSON list of packages:

./pip_audit -v -i my_list.json

You can also download the entire list of PyPI packages with the invoke task:

invoke megaupdate

Or download a more reasonably sized top 5000 list of PyPI packages:

invoke top5000

Input is handled with Click so there is some basic help as well.

./pip_audit.py --help

Install

Install Python Invoke and invoke the virtualenv build (you might need to install python-invoke first).

invoke virtualenv
source env/bin/activate

Contributing

As always, please fork away, merge requests are welcome, open issues and such. There is a discussion board at https://www.reddit.com/r/pipsecurity/

The best way to contribute is by providing additional plugins in the plugins directory, by default all plugins will be run against the files in the archive that pip downloads. This is subject to change as there will be a way to control which plugins are run in the near future.

Roadmap

• Summary reports of plugins that support them
• Automatic reporting of summaries to Github projects
• PyLint plugin
• ElasticSearch results storage mode
• CLI integration
• Plugin execution control