Skip to content

Package registries (npm / PyPI / Maven / NuGet)

Category landing page for the language package-registry providers. These four providers all scan dependency manifests + lockfiles on disk (no install, no registry fetch) for the supply-chain hygiene patterns that turned Shai-Hulud, ctx, and Log4Shell into mass-propagation incidents: floating version specifiers, missing integrity / hash anchoring, plaintext-HTTP indexes, install-time lifecycle scripts, and curated known-compromised version registries.

The home page shows one "Package registries" tile that aggregates the rule counts across all four; the per-registry pages below carry the full rule reference for each platform.

Providers in this category

npm

Parses package.json, package-lock.json, and .npmrc. Lockfile presence, lifecycle scripts, secret-in-files, compromised-package registry.

20 checks

PyPI

Parses requirements.txt. Range-pinned versions, missing hashes, compromised-package registry.

20 checks

Maven

Parses pom.xml and settings.xml. Floating ranges and SNAPSHOTs, plaintext-HTTP repositories, lax checksumPolicy, wildcard mirrors, Log4Shell-class compromised-package registry.

18 checks

NuGet

Parses *.csproj, Directory.Packages.props, packages.config, NuGet.config, and packages.lock.json. Floating ranges, wildcard prereleases, HTTP-only sources, dependency-confusion via missing packageSourceMapping, compromised-package registry, OSV advisory lookup.

19 checks

What the rule packs share

Common shape across all four:

  • Static parse only. No package install, no registry network call, no daemon access. Manifest + lockfile bytes only.
  • Compromised-package registry. Each pack ships a curated _compromised_packages.py module of (name, version) pairs drawn from real incidents (event-stream, ua-parser-js, coa, rc, node-ipc, ctx 0.2.2-0.2.8, requests-darwin-lite 2.27.1, Log4Shell / Spring4Shell / Text4Shell, plus NuGet-ecosystem incidents). Findings cite the CVE and the upstream incident note.
  • Floating-version hygiene. Range specifiers / SNAPSHOTs / unpinned VCS deps all surface as a separate finding from the compromised-version one so the operator sees both the posture failure and the immediate risk.
  • Transport hygiene. Plaintext-HTTP registry / index URLs, TLS-bypass flags, and lax checksum policies all trigger HIGH-severity findings tied to the relevant OWASP CI/CD risk and the CIS Supply Chain control.

CLI

Each provider auto-detects its manifest at cwd and announces the pick on stderr; pass the explicit flag to scan a different path.

pipeline_check --pipeline npm     --npm-path path/to/package.json
pipeline_check --pipeline pypi    --pypi-path path/to/requirements.txt
pipeline_check --pipeline maven   --maven-path path/to/pom.xml
pipeline_check --pipeline nuget   --nuget-path path/to/project.csproj

See each per-registry page for the full rule reference, the parser scope (which files it loads, which it skips), and the known-compromised-version registry contents.