12 stable releases
3.7.0 | Oct 10, 2024 |
---|---|
3.6.3 | Sep 10, 2024 |
3.5.0 | Aug 5, 2024 |
3.4.0 | Jul 4, 2024 |
3.2.1 | May 10, 2024 |
#144 in Development tools
32 downloads per month
705KB
19K
SLoC
Hipcheck ✓
Go from hundreds of dependencies you can't review, to just a few you can!
Managing the security risk of third-party software at scale is difficult. Normal projects can easily have hundreds of dependencies; far too many to review by hand.
Hipcheck is designed to help you filter that list of dependencies down to just a few that appear concerning, and to give you the information you need to make a security decision quickly.
Hipcheck is a command line interface (CLI) tool for analyzing open source software packages and source repositories to understand their software supply chain risk. It analyzes a project's software development practices and detects active supply chain attacks to give you both a long-term and immediate picture of the risk from using a package.
For more information, see "Why Hipcheck?"
Very Quick Explanation
Hipcheck can analyze Git source repositories and open source packages from popular package hosts.
# Analyze Express, a popular JavaScript package for web servers, with the
# URL of its Git repository.
hc check https://github.com/expressjs/express
# Analyze urllib3 version 2.2.2, a popular URL-handling package hosted on PyPI.
hc check -t pypi urllib3@2.2.2
# Analyze the package described by an SPDX Software Bill of Materials.
hc check example-sbom.spdx.json
For more information, check out the Quickstart Guide.
Installation
See the Installation Instructions.
Values
Hipcheck's product values are to be:
- Configurable: Hipcheck should be adaptable to the policies of its users.
- Fast: Hipcheck should provide answers quickly.
- Actionable: Hipcheck should empower users to make informed security decisions.
Read more about Hipcheck's product and project values in RFD #2.
License
Hipcheck's software is licensed under the Apache 2.0 license, which can be
found in the LICENSE
file in this repository.
Public Release
[!NOTE] Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-2145.
Portions of this software were produced for the U.S. Government under Contract No. FA8702-19-C-0001, W56KGU-18-D-0004, and 70RSAT20D00000001 and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause DFARS 252.227-7014 (FEB 2014).
Dependencies
~78MB
~1.5M SLoC