Lib.rs

Development tools
#security #supply-chain #repository #sbom #risk #automatic #active

app hipcheck

Automatically assess and score software repositories for supply chain risk

Owned by Andrew Lilley Brinker.

6 stable releases

3.4.0 Jul 4, 2024
3.3.2 Jun 21, 2024
3.3.0 Jun 20, 2024
3.2.1 May 10, 2024
3.2.0 May 9, 2024

#162 in Development tools

Download history 283/week @ 2024-05-06 11/week @ 2024-05-13 21/week @ 2024-05-20 2/week @ 2024-06-10 302/week @ 2024-06-17 27/week @ 2024-06-24 181/week @ 2024-07-01 7/week @ 2024-07-08

518 downloads per month

Apache-2.0

490KB
13K SLoC

Hipcheck ✓

License: Apache-2.0 GitHub Release Hipcheck Website

Go from hundreds of dependencies you can't review, to just a few you can!

Managing the security risk of third-party software at scale is difficult. Normal projects can easily have hundreds of dependencies; far too many to review by hand.

Hipcheck is designed to help you filter that list of dependencies down to just a few that appear concerning, and to give you the information you need to make a security decision quickly.

Hipcheck is a command line interface (CLI) tool for analyzing open source software packages and source repositories to understand their software supply chain risk. It analyzes a project's software development practices and detects active supply chain attacks to give you both a long-term and immediate picture of the risk from using a package.

For more information, see "Why Hipcheck?"

Very Quick Explanation

Hipcheck can analyze Git source repositories and open source packages from popular package hosts.

# Analyze Express, a popular JavaScript package for web servers, with the
# URL of its Git repository.
hc check https://github.com/expressjs/express

# Analyze urllib3 version 2.2.2, a popular URL-handling package hosted on PyPI.
hc check -t pypi urllib3@2.2.2

# Analyze the package described by an SPDX Software Bill of Materials.
hc check example-sbom.spdx.json

For more information, check out the Quickstart Guide.

Installation

See the Installation Instructions.

Values

Hipcheck's product values are to be:

  • Configurable: Hipcheck should be adaptable to the policies of its users.
  • Fast: Hipcheck should provide answers quickly.
  • Actionable: Hipcheck should empower users to make informed security decisions.

Read more about Hipcheck's product and project values in RFD #2.

License

Hipcheck's software is licensed under the Apache 2.0 license, which can be found in the LICENSE file in this repository.

Public Release

[!NOTE] Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-2145.

Portions of this software were produced for the U.S. Government under Contract No. FA8702-19-C-0001 and W56KGU-18-D-0004, and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause DFARS 252.227-7014 (FEB 2014).

Dependencies

~42–59MB
~1M SLoC