Small tool to inform you about potential risks in your project dependencies list: - Lock file is not safe (lockfile-is-not-safe): During the development process a malicious actor could replace URLs in a lock file to package with malicious code (it is especially dangerous because it is hard to catch in PR review) - The newest package version is too new (package-is-too-new): A new version of a package could be vulnerable. It might be safer to wait X days before upgrading to the new version and let the community test it - Installation Script (install-scripts): An attacker can use installation scripts to run commands that perform malicious acts through the package installation step - Obfuscated code (obfuscated-code): A package contains obfuscated code which may point to an attempt of hiding potentially malicious code - A package has OS scripts (has-os-scripts): An attacker can use .bat/.sh scripts to execute malicious actions (downloading and launching mining apps, etc) - A package script has shell commands (dangerous-shell-commands): Package script could have potentially dangerous commands to perform malicious actions (curl, wget, chmod, cacls, etc) - The newest package version is released after
FEATURES
EXPLORE BY TAGS
SIMILAR TOOLS
Integrates static APK analysis with Yara and requires re-compilation of Yara with the androguard module.
A PHP port of Rack::Honeypot, a spam trap that detects and blocks spambots
A security-focused general purpose memory allocator providing the malloc API with hardening against heap corruption vulnerabilities.
QIRA is a competitor to strace and gdb with MIT license, supporting Ubuntu and Docker for wider compatibility.
Search engine for open-source Git repositories with advanced features like case sensitivity and regular expressions.
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.
APKiD is a tool that identifies compilers, packers, obfuscators, and other weird stuff in APK files.
ConDroid performs concolic execution of Android apps to observe 'interesting' behavior in dynamic analysis.
A plugin for viewing, detecting weak configurations, and generating Content Security Policy headers.
PINNED

Checkmarx SCA
A software composition analysis tool that identifies vulnerabilities, malicious code, and license risks in open source dependencies throughout the software development lifecycle.

Orca Security
A cloud-native application protection platform that provides agentless security monitoring, vulnerability management, and compliance capabilities across multi-cloud environments.

DryRun
A GitHub application that performs automated security code reviews by analyzing contextual security aspects of code changes during pull requests.