A github action that periodically fetches the latest pypi packages and scans them using a variety of methods:
- Datadog's guarddog tool (which uses
semgreprules to run static analysis on source code) - custom yara rules
- running
fileand detection binary executables - Sysdig+tcpdump dynamic analysis during install time
Note that the above techniques work well for NPM as well! A NPM equivalent of this repo will be available soon in the future.
Currently stores the JSON report in github action artifacts, *.txt files with a bunch of potentially malicious package names, and raises issues when suspicious packages are found.