Secure Pip Package Management Tool
Project description
Secpip - Secure Pip Package Management Tool
Secpip is command line interface to manage (install, download, uninstall, migrate) python libraries securely.
Explore the docs »
View Demo
·
Report Bug
·
Request Feature
Table of Contents
About The Project
Secpip is command line interface to manage pip packages in secure way.
Secpip controls the given package version has known vulnerability or not according to vulnerability database published as safety-db.
If given package has vulnerability, Secpip tries to find available secure versions of package.
After secure version of package found, it automatically install the secure package (if '--secure' and '--auto' tags are used).
Abilities of Secpip
-
Package vulnerability check and extraction from virtual environments.
-
Downloads pip packages(secure) if offline installation needed to another environments or nodes.
-
You can install libraries as online and offline to virtual environments by using Secpip easily.
-
It is based on pip(wraps pip commands) so you need to install pip.
-
It checks python package security conditions by using safety library according to published vulnerabilities.
-
It create a report the result of operation.
-
It create/build/dump python virtual environments.
-
It uninstall multiple packages from virtual environment with one command by taking requirements file.
-
It migrate virtual environment to another one or new one securely.
Getting Started
Definitions and examples about installation and usage of Secpip modules.
You can follow these steps to install and use Secpip.
Prerequisites
- python3
- pip
- virtualenv : A tool for creating isolated virtual python environments.
Installation
-
Firstly Install python 3 and pip.
Install From Repo
- Clone the repo
git clone https://github.com/myasinsaglam/secpip.git
- Install Requirements from requirements.txt
pip install -r requirements.txt
- Install Secpip
In project directory run
pip install .
or
python setup.py install
Install via pip
pip install secpip
Usage:
Entrypoints and example commands explained here.
Entrypoint
usage: secpip <command> [<args>]
Commands:
install Install pip packages by using secpip abilities (secure, report, auto_mode)
dump Package/Download pip packages by using secpip abilities (secure, report, auto_mode)
uninstall Uninstall pip packages from venv as single or batch from requirements
migrate Migrate virtual environment to another one securely
sync Synchronize Database from web
General Options:
--secure Secure option to check known vulnerabilities. If package is not secure operation not allowed to package
--auto Use with secure option. It replace vulnerable package with next secure version, If no secure package exists it create warning and install insecure one.
Secure pip package manager...
positional arguments:
command {install, dump, uninstall}
optional arguments:
-h, --help show this help message and exit
Install
Install command description and arguments
usage: secpip install [-h] [--secure] [--auto] [--report REPORT_DIR]
[-v ENVIRONMENT_DIR] [-p PACKAGE_DIR] [-r REQUIREMENTS_DIR]
Install pip packages as online or offline with security check
optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions by replacing secure
one
--report REPORT_DIR Report Extraction Option
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path to install modules
-p PACKAGE_DIR, --package_dir PACKAGE_DIR
Downloaded package directory for offline install
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt
Examples
-
Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.
-
Online single package install to virtual environment(optional - if not it installs current python environment)
secpip install [package name] -v [venv dir] --secure --auto
-
Offline single package install from package directory to virtual environment(optional - if not it installs current python environment)
secpip install [package name] -v [venv dir] -p [downloaded package directory] --secure --auto
-
Online install packages from requirements file to virtual environment
secpip install -r [requirements path] -v [venv dir] --secure --auto --report [report filename]
-
Offline install requirements file packages from package directory to virtual environment(optional - if not it installs current python environment)
secpip install -r [requirements path] -v [venv dir] -p [downloaded package directory] --secure --auto
Dump
Dump command description and arguments
usage: secpip dump [-h] [--secure] [--auto] [--report REPORT_DIR]
[-v ENVIRONMENT_DIR] [-p PACKAGE_DIR] [-r REQUIREMENTS_DIR]
Dump pip packages:
- from package name to to directory as setup file
- from requirements to directory as setup files
- from venv to directory as setup files
- from venv to requirements as metadata
optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions
--report REPORT_DIR Report Extraction Option
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path to extract installed modules
-p PACKAGE_DIR, --package_dir PACKAGE_DIR
Downloaded package directory for offline install
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt
Examples
-
Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.
-
Single package download to directory
secpip dump [package name] -p [directory to download] --secure --auto
-
Download packages from virtual environment to directory
secpip dump -v [venv dir] -p [downloaded package directory] --secure --auto
-
Download packages from requirements file to directory
secpip dump -r [requirements path] -p [downloaded package directory] --secure --auto
Uninstall
Dump command description and arguments. This command just added to uninstall multiple packages. :)
- Multiple packages can be uninstall from environment by using requirements file argument.
usage: secpip uninstall [-h] [-venv ENVIRONMENT_DIR] [-r REQUIREMENTS_DIR]
Uninstall pip packages as batch by using requirement file
optional arguments:
-h, --help show this help message and exit
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path that will be uninstall modules
from
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt
Examples
-
Optional flags
[-v], [--venv_dir] - Environment directory is optional if not given it uses currently active python environment.
-
Single package uninstall from environment
secpip uninstall [package name] -v [venv dir] --secure --auto
-
Multiple package uninstall from environment
secpip uninstall -r [requirements path] -v [venv dir] --secure --auto
Migrate
Migrate command description and arguments
usage: secpip migrate [-h] [--secure] [--auto] [--report REPORT_DIR] -s SRC_VENV -d
DST_VENV
Migrate virtual environment to another virtual environment
optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions
--report REPORT_DIR Report Extraction Option
-s SRC_VENV, --src SRC_VENV
Source Python environment path to migrate modules
-d DST_VENV, --dst DST_VENV
Destination Python environment path to migrate modules
Examples
-
Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.
-
Migrate virtual env to another new one securely
secpip migrate -s [Source Python environment path] -d [Destination Python environment path] --secure --auto
Sync:
Just run command below to sync vulnerability database.
secpip sync
Roadmap
- Improve Windows support -- It can only be installed in virtual environment
- Add excluded packages option
- Collect vulnerabilities from different sources, validate and extend vulnerability database with Ai (apply Nlp techniques on vulnerability sources, source code analysis etc.)
- Service for vulnerability check
See the open issues for a list of proposed features (and known issues).
Contributing
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.
- Fork the Project
- Create your Feature Branch (
git checkout -b feature/AmazingFeature) - Commit your Changes (
git commit -m 'Add some AmazingFeature') - Push to the Branch (
git push origin feature/AmazingFeature) - Open a Pull Request
License
Distributed under the MIT License. See LICENSE for more information.
Contact
M.Yasin SAGLAM - myasinsaglam@crypttech.com
Project Link: https://github.com/myasinsaglam/secpip
Acknowledgements
- This project was supported by the CRYPTTECH
- safety-db
- best-readme-template
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for secpip-1.0.0rc1-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | c3c87d1e292b8e6311ea17429389a67bbcda4a556f10f2a36163eacfe39ded3c |
|
| MD5 | 2268426a3f56ecb18b9619aca27fcc8e |
|
| BLAKE2b-256 | e2376b96a2201232c589e0d06642ace2ee6ec29bc4db9893fdf9a5faef1c3cb0 |
