package-scan documentation

Welcome to the package-scan documentation!

🐙 GitHub Repository: https://github.com/thekitchencoder/package-scan

package-scan is a multi-ecosystem package threat scanner that detects compromised packages across npm, Maven/Gradle, and Python (pip) projects.

Contents:

• Introduction
  • Overview
  • Why package-scan?
  • Key Capabilities
  • The Incident Response Workflow
  • Supported Ecosystems
  • Threat Database
  • How It Works
• Installation
  • Requirements
  • Installation Methods
  • Using Docker
  • Development Installation
  • Upgrading
  • Uninstallation
  • Troubleshooting
• Usage
  • Basic Usage
  • Threat Selection
  • Ecosystem Selection
  • Output Options
  • Listing Compromised Packages
  • Docker Usage
  • Legacy Commands
  • Common Use Cases
  • Troubleshooting
  • Output Format
• Architecture
  • Overview
  • Core Components
  • Ecosystem Adapters
  • Data Flow
  • Adding New Ecosystems
  • Design Principles
  • Performance Considerations
  • Security Considerations
• API Reference
  • Core API
  • Adapters API
  • Core Modules
  • Ecosystem Adapters
• Contributing
  • Development Setup
  • Running Tests
  • Code Style
  • Testing Guidelines
  • Adding New Adapters
  • Adding New Threats
  • Documentation
  • Pull Request Process
  • Commit Message Guidelines
  • Bug Reports
  • Feature Requests
  • Code of Conduct
  • Getting Help
  • License

Introduction

package-scan is a Python CLI tool designed to detect compromised packages across multiple ecosystems. It scans projects against a CSV database of known compromised packages from various supply chain attacks.

Supported Ecosystems:

• npm: JavaScript/Node.js packages (package.json, lockfiles, node_modules)

• maven: Java packages via Maven (pom.xml) and Gradle (build.gradle)

• pip: Python packages via pip, Poetry, Pipenv, and conda

Quick Start

Install the package:

pip install -e .

Scan your project:

package-scan                        # Scan current directory
package-scan --threat sha1-Hulud    # Scan for specific threat
package-scan --ecosystem npm        # Scan npm only

Features

• Multi-Ecosystem Support: Scans npm, Maven/Gradle, and Python projects

• Threat-Based Scanning: Target specific supply chain attacks

• Version Range Matching: Detects vulnerable versions in ranges (^, ~, >=, etc.)

• Detailed Reporting: JSON reports with comprehensive threat findings

• Modular Architecture: Easy to extend with new ecosystems

• Docker Support: Containerized scanning for CI/CD pipelines

Indices and tables

• Index

• Module Index

• Search Page