guarddog icon indicating copy to clipboard operation
guarddog copied to clipboard

Published 20 hours ago verified publisher icon DataDog

Allows setting pypi sources for private deployments

Open coffeehb opened this issue 1 year ago • 1 comments

Thanks for sharing, it's a cool project. I plan to use this to instrument internal pypi and npm repositories。 Whether to add support for manually setting the pypi or npm source?

coffeehb avatar Mar 03 '23 10:03 coffeehb

Hi, you can download the packages from the repository and scan those files directly. For example

(guarddog) ~/s/guarddog ❯❯❯ wget https://files.pythonhosted.org/packages/70/8e/0e2d847013cb52cd35b38c009bb167a1a26b2ce6cd6965bf26b47bc0bf44/requests-2.31.0-py3-none-any.whl
...
2023-05-31 15:22:08 (3.59 MB/s) - ‘requests-2.31.0-py3-none-any.whl’ saved [62574/62574]

(guarddog) ~/s/guarddog ❯❯❯ guarddog pypi scan ./requests-2.31.0-py3-none-any.whl
Found 0 potentially malicious indicators scanning ./requests-2.31.0-py3-none-any.whl

(guarddog) ~/s/guarddog ❯❯❯

Is this sufficient for your use case?

jamessteel123 avatar May 31 '23 19:05 jamessteel123