GitLocker: The Coding Marketplace

Description:

secpip 1.0.0rc1

Secpip - Secure Pip Package Management Tool

Secpip is command line interface to manage (install, download, uninstall, migrate) python libraries securely.

Explore the docs »

View Demo
·
Report Bug
·
Request Feature

Table of Contents

About the Project
Getting Started

Prerequisites
Installation

Usage
Roadmap
Contributing
License
Contact
Acknowledgements

About The Project
Secpip is command line interface to manage pip packages in secure way.
Secpip controls the given package version has known vulnerability or not according to vulnerability database published as safety-db.
If given package has vulnerability, Secpip tries to find available secure versions of package.
After secure version of package found, it automatically install the secure package (if '--secure' and '--auto' tags are used).
Abilities of Secpip

Package vulnerability check and extraction from virtual environments.

Downloads pip packages(secure) if offline installation needed to another environments or nodes.

You can install libraries as online and offline to virtual environments by using Secpip easily.

It is based on pip(wraps pip commands) so you need to install pip.

It checks python package security conditions by using safety library according to published vulnerabilities.

It create a report the result of operation.

It create/build/dump python virtual environments.

It uninstall multiple packages from virtual environment with one command by taking requirements file.

It migrate virtual environment to another one or new one securely.

Getting Started
Definitions and examples about installation and usage of Secpip modules.
You can follow these steps to install and use Secpip.
Prerequisites

python3
pip
virtualenv : A tool for creating isolated virtual python environments.

Installation

Firstly Install python 3 and pip.

Install From Repo

Clone the repo

git clone https://github.com/myasinsaglam/secpip.git

Install Requirements from requirements.txt

pip install -r requirements.txt

Install Secpip

In project directory run
pip install .

or
python setup.py install

Install via pip
pip install secpip

Usage:
Entrypoints and example commands explained here.
Entrypoint
usage: secpip <command> [<args>]
Commands:
install Install pip packages by using secpip abilities (secure, report, auto_mode)
dump Package/Download pip packages by using secpip abilities (secure, report, auto_mode)
uninstall Uninstall pip packages from venv as single or batch from requirements
migrate Migrate virtual environment to another one securely
sync Synchronize Database from web
General Options:
--secure Secure option to check known vulnerabilities. If package is not secure operation not allowed to package
--auto Use with secure option. It replace vulnerable package with next secure version, If no secure package exists it create warning and install insecure one.

Secure pip package manager...

positional arguments:
command {install, dump, uninstall}

optional arguments:
-h, --help show this help message and exit

Install
Install command description and arguments
usage: secpip install [-h] [--secure] [--auto] [--report REPORT_DIR]
[-v ENVIRONMENT_DIR] [-p PACKAGE_DIR] [-r REQUIREMENTS_DIR]

Install pip packages as online or offline with security check

optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions by replacing secure
one
--report REPORT_DIR Report Extraction Option
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path to install modules
-p PACKAGE_DIR, --package_dir PACKAGE_DIR
Downloaded package directory for offline install
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt

Examples

Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.

Online single package install to virtual environment(optional - if not it installs current python environment)

secpip install [package name] -v [venv dir] --secure --auto

Offline single package install from package directory to virtual environment(optional - if not it installs current python environment)

secpip install [package name] -v [venv dir] -p [downloaded package directory] --secure --auto

Online install packages from requirements file to virtual environment

secpip install -r [requirements path] -v [venv dir] --secure --auto --report [report filename]

Offline install requirements file packages from package directory to virtual environment(optional - if not it installs current python environment)

secpip install -r [requirements path] -v [venv dir] -p [downloaded package directory] --secure --auto

Dump
Dump command description and arguments
usage: secpip dump [-h] [--secure] [--auto] [--report REPORT_DIR]
[-v ENVIRONMENT_DIR] [-p PACKAGE_DIR] [-r REQUIREMENTS_DIR]

Dump pip packages:
- from package name to to directory as setup file
- from requirements to directory as setup files
- from venv to directory as setup files
- from venv to requirements as metadata

optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions
--report REPORT_DIR Report Extraction Option
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path to extract installed modules
-p PACKAGE_DIR, --package_dir PACKAGE_DIR
Downloaded package directory for offline install
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt

Examples

Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.

Single package download to directory

secpip dump [package name] -p [directory to download] --secure --auto

Download packages from virtual environment to directory

secpip dump -v [venv dir] -p [downloaded package directory] --secure --auto

Download packages from requirements file to directory

secpip dump -r [requirements path] -p [downloaded package directory] --secure --auto

Uninstall
Dump command description and arguments. This command just added to uninstall multiple packages. :)

Multiple packages can be uninstall from environment by using requirements file argument.

usage: secpip uninstall [-h] [-venv ENVIRONMENT_DIR] [-r REQUIREMENTS_DIR]

Uninstall pip packages as batch by using requirement file

optional arguments:
-h, --help show this help message and exit
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path that will be uninstall modules
from
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt

Examples

Optional flags
[-v], [--venv_dir] - Environment directory is optional if not given it uses currently active python environment.

Single package uninstall from environment

secpip uninstall [package name] -v [venv dir] --secure --auto

Multiple package uninstall from environment

secpip uninstall -r [requirements path] -v [venv dir] --secure --auto

Migrate
Migrate command description and arguments
usage: secpip migrate [-h] [--secure] [--auto] [--report REPORT_DIR] -s SRC_VENV -d
DST_VENV

Migrate virtual environment to another virtual environment

optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions
--report REPORT_DIR Report Extraction Option
-s SRC_VENV, --src SRC_VENV
Source Python environment path to migrate modules
-d DST_VENV, --dst DST_VENV
Destination Python environment path to migrate modules

Examples

Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.

Migrate virtual env to another new one securely

secpip migrate -s [Source Python environment path] -d [Destination Python environment path] --secure --auto

Sync:
Just run command below to sync vulnerability database.
secpip sync

Roadmap

Improve Windows support -- It can only be installed in virtual environment
Add excluded packages option
Collect vulnerabilities from different sources, validate and extend vulnerability database with Ai (apply Nlp techniques on vulnerability sources, source code analysis etc.)
Service for vulnerability check

See the open issues for a list of proposed features (and known issues).

Contributing
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.

Fork the Project
Create your Feature Branch (git checkout -b feature/AmazingFeature)
Commit your Changes (git commit -m 'Add some AmazingFeature')
Push to the Branch (git push origin feature/AmazingFeature)
Open a Pull Request

License
Distributed under the MIT License. See LICENSE for more information.

Contact
M.Yasin SAGLAM - myasinsaglam@crypttech.com
Project Link: https://github.com/myasinsaglam/secpip

Acknowledgements

This project was supported by the CRYPTTECH
safety-db
best-readme-template