Metadata-Version: 2.4
Name: insecure_tree
Version: 0.1.0
Summary: Audit GitHub Actions security posture of your Python dependency tree using zizmor
Project-URL: Repository, https://github.com/matthewdeanmartin/insecure_tree
Project-URL: Documentation, https://insecure_tree.readthedocs.io/en/latest/
Project-URL: Changelog, https://github.com/matthewdeanmartin/insecure_tree/blob/main/CHANGELOG.md
Project-URL: homepage, https://github.com/matthewdeanmartin/insecure_tree
Project-URL: issues, https://github.com/matthewdeanmartin/insecure_tree/issues/
Author-email: Matthew Martin <matthewdeanmartin@gmail.com>
License-Expression: MIT
License-File: LICENSE
Keywords: audit,dependencies,devsecops,github-actions,security,supply-chain,zizmor
Classifier: Development Status :: 1 - Planning
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Programming Language :: Python :: 3.14
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Build Tools
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Classifier: Topic :: System :: Systems Administration
Classifier: Typing :: Typed
Requires-Python: >=3.10
Requires-Dist: httpx>=0.27
Requires-Dist: jinja2>=3.1
Requires-Dist: packaging>=23.0
Requires-Dist: pydantic>=2.0
Requires-Dist: rich>=13.0
Requires-Dist: tomli>=2.0; python_version < '3.11'
Requires-Dist: zizmor>=1.0
Description-Content-Type: text/markdown

# insecure-tree

Audit the GitHub Actions security posture of your entire Python dependency tree.

insecure-tree discovers your transitive dependencies, resolves their PyPI metadata, identifies claimed GitHub repositories, downloads workflow files, and runs [zizmor](https://github.com/woodruffw/zizmor) against each one — then produces a unified text, HTML, and JSON report showing every finding and which package it came from.

## Installation

```bash
# Install zizmor first (required)
pip install zizmor

# Install insecure-tree
pipx install insecure_tree
```

Or with pip:

```bash
pip install insecure_tree
```

## Quick start

```bash
# Scan a uv project
insecure-tree scan --source uv --project .

# Scan the active virtualenv
insecure-tree scan --source pip-inspect

# Auto-detect the best source
insecure-tree scan
```

Reports land in `./insecure-tree-report/` as `insecure-tree.txt`, `insecure-tree.html`, and `insecure-tree.json`.

## CI usage

```bash
insecure-tree scan \
  --source auto \
  --format text \
  --format html \
  --fail-on error \
  --output-dir artifacts/insecure-tree
```

Exit codes: `0` clean, `1` findings above threshold, `2` config error, `3` infrastructure error, `4` partial scan failure.

## All commands

| Command | Description |
|---------|-------------|
| `insecure-tree scan` | Run the full audit pipeline |
| `insecure-tree graph` | Emit the dependency graph as JSON or text |
| `insecure-tree metadata PACKAGE` | Inspect PyPI metadata and GitHub candidates for one package |
| `insecure-tree report --input FILE` | Re-render a report from a saved JSON file |
| `insecure-tree cache dir` | Print the cache directory path |
| `insecure-tree cache clean` | Remove expired cache entries |

## Configuration

Configuration is read from `pyproject.toml` under `[tool.insecure-tree]` or from `insecure-tree.toml`:

```toml
[tool.insecure-tree]
source = "auto"
fail_on = "never"
report_min_severity = "note"

[tool.insecure-tree.github]
token_env = "GITHUB_TOKEN"

[tool.insecure-tree.repo_overrides]
"Pillow" = "https://github.com/python-pillow/Pillow"

[[tool.insecure-tree.ignore]]
package = "some-package"
rule = "excessive-permissions"
reason = "Accepted risk — only runs on release branches."
expires = "2026-12-01"
```

## Documentation

Full documentation is at [insecure-tree.readthedocs.io](https://insecure_tree.readthedocs.io/en/latest/).

- [Installation](https://insecure_tree.readthedocs.io/en/latest/installation/)
- [Quick Start](https://insecure_tree.readthedocs.io/en/latest/usage/quickstart/)
- [CLI Reference](https://insecure_tree.readthedocs.io/en/latest/usage/cli/)
- [Configuration](https://insecure_tree.readthedocs.io/en/latest/usage/configuration/)
- [How It Works](https://insecure_tree.readthedocs.io/en/latest/concepts/how_it_works/)
- [CI Integration](https://insecure_tree.readthedocs.io/en/latest/usage/ci/)

## Contributing

See [CONTRIBUTING.md](docs/extending/CONTRIBUTING.md).

## License

MIT — see [LICENSE](LICENSE).

## Changelog

See [CHANGELOG.md](CHANGELOG.md).
