0 purchases
secpip 1.0.0rc1
Secpip - Secure Pip Package Management Tool
Secpip is command line interface to manage (install, download, uninstall, migrate) python libraries securely.
Explore the docs »
View Demo
·
Report Bug
·
Request Feature
Table of Contents
About the Project
Getting Started
Prerequisites
Installation
Usage
Roadmap
Contributing
License
Contact
Acknowledgements
About The Project
Secpip is command line interface to manage pip packages in secure way.
Secpip controls the given package version has known vulnerability or not according to vulnerability database published as safety-db.
If given package has vulnerability, Secpip tries to find available secure versions of package.
After secure version of package found, it automatically install the secure package (if '--secure' and '--auto' tags are used).
Abilities of Secpip
Package vulnerability check and extraction from virtual environments.
Downloads pip packages(secure) if offline installation needed to another environments or nodes.
You can install libraries as online and offline to virtual environments by using Secpip easily.
It is based on pip(wraps pip commands) so you need to install pip.
It checks python package security conditions by using safety library according to published vulnerabilities.
It create a report the result of operation.
It create/build/dump python virtual environments.
It uninstall multiple packages from virtual environment with one command by taking requirements file.
It migrate virtual environment to another one or new one securely.
Getting Started
Definitions and examples about installation and usage of Secpip modules.
You can follow these steps to install and use Secpip.
Prerequisites
python3
pip
virtualenv : A tool for creating isolated virtual python environments.
Installation
Firstly Install python 3 and pip.
Install From Repo
Clone the repo
git clone https://github.com/myasinsaglam/secpip.git
Install Requirements from requirements.txt
pip install -r requirements.txt
Install Secpip
In project directory run
pip install .
or
python setup.py install
Install via pip
pip install secpip
Usage:
Entrypoints and example commands explained here.
Entrypoint
usage: secpip <command> [<args>]
Commands:
install Install pip packages by using secpip abilities (secure, report, auto_mode)
dump Package/Download pip packages by using secpip abilities (secure, report, auto_mode)
uninstall Uninstall pip packages from venv as single or batch from requirements
migrate Migrate virtual environment to another one securely
sync Synchronize Database from web
General Options:
--secure Secure option to check known vulnerabilities. If package is not secure operation not allowed to package
--auto Use with secure option. It replace vulnerable package with next secure version, If no secure package exists it create warning and install insecure one.
Secure pip package manager...
positional arguments:
command {install, dump, uninstall}
optional arguments:
-h, --help show this help message and exit
Install
Install command description and arguments
usage: secpip install [-h] [--secure] [--auto] [--report REPORT_DIR]
[-v ENVIRONMENT_DIR] [-p PACKAGE_DIR] [-r REQUIREMENTS_DIR]
Install pip packages as online or offline with security check
optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions by replacing secure
one
--report REPORT_DIR Report Extraction Option
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path to install modules
-p PACKAGE_DIR, --package_dir PACKAGE_DIR
Downloaded package directory for offline install
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt
Examples
Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.
Online single package install to virtual environment(optional - if not it installs current python environment)
secpip install [package name] -v [venv dir] --secure --auto
Offline single package install from package directory to virtual environment(optional - if not it installs current python environment)
secpip install [package name] -v [venv dir] -p [downloaded package directory] --secure --auto
Online install packages from requirements file to virtual environment
secpip install -r [requirements path] -v [venv dir] --secure --auto --report [report filename]
Offline install requirements file packages from package directory to virtual environment(optional - if not it installs current python environment)
secpip install -r [requirements path] -v [venv dir] -p [downloaded package directory] --secure --auto
Dump
Dump command description and arguments
usage: secpip dump [-h] [--secure] [--auto] [--report REPORT_DIR]
[-v ENVIRONMENT_DIR] [-p PACKAGE_DIR] [-r REQUIREMENTS_DIR]
Dump pip packages:
- from package name to to directory as setup file
- from requirements to directory as setup files
- from venv to directory as setup files
- from venv to requirements as metadata
optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions
--report REPORT_DIR Report Extraction Option
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path to extract installed modules
-p PACKAGE_DIR, --package_dir PACKAGE_DIR
Downloaded package directory for offline install
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt
Examples
Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.
Single package download to directory
secpip dump [package name] -p [directory to download] --secure --auto
Download packages from virtual environment to directory
secpip dump -v [venv dir] -p [downloaded package directory] --secure --auto
Download packages from requirements file to directory
secpip dump -r [requirements path] -p [downloaded package directory] --secure --auto
Uninstall
Dump command description and arguments. This command just added to uninstall multiple packages. :)
Multiple packages can be uninstall from environment by using requirements file argument.
usage: secpip uninstall [-h] [-venv ENVIRONMENT_DIR] [-r REQUIREMENTS_DIR]
Uninstall pip packages as batch by using requirement file
optional arguments:
-h, --help show this help message and exit
-v ENVIRONMENT_DIR, --venv_dir ENVIRONMENT_DIR
Python environment path that will be uninstall modules
from
-r REQUIREMENTS_DIR, --requirements_file REQUIREMENTS_DIR
Requirements txt i/o file path, default is
{current_path}/requirements.txt
Examples
Optional flags
[-v], [--venv_dir] - Environment directory is optional if not given it uses currently active python environment.
Single package uninstall from environment
secpip uninstall [package name] -v [venv dir] --secure --auto
Multiple package uninstall from environment
secpip uninstall -r [requirements path] -v [venv dir] --secure --auto
Migrate
Migrate command description and arguments
usage: secpip migrate [-h] [--secure] [--auto] [--report REPORT_DIR] -s SRC_VENV -d
DST_VENV
Migrate virtual environment to another virtual environment
optional arguments:
-h, --help show this help message and exit
--secure A flag for security check option
--auto A flag for auto correct versions
--report REPORT_DIR Report Extraction Option
-s SRC_VENV, --src SRC_VENV
Source Python environment path to migrate modules
-d DST_VENV, --dst DST_VENV
Destination Python environment path to migrate modules
Examples
Optional flags
[--secure] - security check if package not secure, operation is not allowed on vulnerable package
[--auto] - auto replace with secure version
[--report] report filename - writes operation report to given file.
Migrate virtual env to another new one securely
secpip migrate -s [Source Python environment path] -d [Destination Python environment path] --secure --auto
Sync:
Just run command below to sync vulnerability database.
secpip sync
Roadmap
Improve Windows support -- It can only be installed in virtual environment
Add excluded packages option
Collect vulnerabilities from different sources, validate and extend vulnerability database with Ai (apply Nlp techniques on vulnerability sources, source code analysis etc.)
Service for vulnerability check
See the open issues for a list of proposed features (and known issues).
Contributing
Contributions are what make the open source community such an amazing place to be learn, inspire, and create. Any contributions you make are greatly appreciated.
Fork the Project
Create your Feature Branch (git checkout -b feature/AmazingFeature)
Commit your Changes (git commit -m 'Add some AmazingFeature')
Push to the Branch (git push origin feature/AmazingFeature)
Open a Pull Request
License
Distributed under the MIT License. See LICENSE for more information.
Contact
M.Yasin SAGLAM - [email protected]
Project Link: https://github.com/myasinsaglam/secpip
Acknowledgements
This project was supported by the CRYPTTECH
safety-db
best-readme-template
For personal and professional use. You cannot resell or redistribute these repositories in their original state.
There are no reviews.