Metadata-Version: 2.4
Name: safedep
Version: 0.1.1
Summary: Protect your dependencies from supply chain attacks.
Author-email: Márcio Reck <marcio@fazmercado.com>
License: MIT
Classifier: Programming Language :: Python :: 3
Classifier: Operating System :: OS Independent
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: requests
Requires-Dist: click
Requires-Dist: rich

# 🛡️ SafeDep: Your Dependency Guardian

**SafeDep** is an open-source tool designed to protect developers from Supply Chain Attacks. It analyzes packages and dependencies for malicious behavior, data exfiltration, and hidden vulnerabilities before you even install them.

> "Don't just scan for known vulnerabilities. Detect suspicious behavior."

---

## ✨ Why SafeDep?

The package ecosystem (PyPI, NPM, Cargo) is under constant attack from *Typosquatting*, *Dependency Injection*, and *Trojan Horses*. SafeDep goes beyond standard vulnerability databases (CVEs) by analyzing both the **static and dynamic behavior** of the code.

### Key Features
- 🔍 **Pre-install Sandbox**: Runs installation scripts in an isolated environment to monitor what they attempt to access.
- 📡 **Network Monitor**: Alerts you if a "text processing" package tries to make requests to unknown IP addresses.
- 🔑 **Secret Leak Detection**: Identifies if a package attempts to read your environment variables (`.env`) or API keys.
- 🏷️ **Typosquatting Protection**: Checks if a package name is dangerously similar to a popular one.

---

## 🛠️ Getting Started

To use **SafeDep** locally, clone the repository and install it in editable mode:

```bash
# create a virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Install SafeDep in editable mode (so code changes are reflected immediately)
pip install -e .
```

### Sandbox Requirements
For behavioral analysis, **Docker** or **Podman** must be installed and running.
```bash
# Check if docker is available
docker --version
```

## 🚀 How to Use (CLI)

SafeDep provides several commands:


### 1. Check a package before installing
Analyzes a package (remote) for typosquatting and reputation risks.

**Python (default):**
```bash
safedep check <package_name>
```

**Python Typosquatting Example:**
```bash
# Detects similarity to 'requests'
safedep check requesst
```

**NPM:**
```bash
safedep check <package_name> --ecosystem npm
```

**Cargo (Rust):**
```bash
safedep check <package_name> --ecosystem cargo
```

### 2. Scan a local directory
Scans local files (**Python, JS, TS, NPM, Cargo**) for dangerous code patterns or suspicious dependencies (in `requirements.txt`, `package.json`, `Cargo.toml`). 

SafeDep automatically excludes common dependency and internal directories like `venv`, `node_modules`, and `.git` to focus on your project's source code.
```bash
safedep scan <path_to_directory>
```

### 3. Behavioral Analysis (Sandbox)
Runs a package installation in a Docker container and monitors for suspicious system calls.

**Python:**
```bash
safedep check <package_name> --sandbox
```

**NPM:**
```bash
safedep check <package_name> --ecosystem npm --sandbox
```

**Cargo:**
```bash
safedep check <package_name> --ecosystem cargo --sandbox
```

---

## 🗺️ Development Roadmap

### Phase 1: Foundation (MVP) - "The Scanner" ✅ (Implemented)
- ✅ Implementation of name similarity analysis (Anti-Typosquatting).
- ✅ Reputation verification (package creation date, author history).
- ✅ Static code scanner for dangerous functions.

### Phase 2: Intelligence (Beta) - "The Behavioralist" 🧠 ✅ (Implemented)
- ✅ Sandboxing: Integration with Docker/Podman to run setup.py and monitor system calls (syscalls).
- ✅ Multi-language Support: Support for NPM (Node.js) and Cargo (Rust) in addition to Python.
- ✅ CI/CD Integration: GitHub Actions to block PRs with suspicious dependencies.

### Phase 3: Community and Sustainability - "The Shield" 🛡️
SafeDep Hub: A community-driven database of "audited and clean" packages.
Security Badges: A system for repositories to display security trust seals.
Sponsorship Program: Launching the Sponsors program to maintain the heavy analysis infrastructure.

---

## 🤝 Contribute & Sponsor
This project is 100% free and community-focused.
If you believe in a safer software ecosystem, consider becoming a contributor or sponsor.
Give a ⭐ on GitHub
Report Bugs
Become a Sponsor: [GitHub Sponsors](https://github.com/sponsors/marcioreck) / [OpenCollective](https://opencollective.com/marcioreck)
Developed for those who prioritize security.
