This repository was archived by the owner on Feb 14, 2026. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathdeptrust.py
More file actions
693 lines (608 loc) · 26.1 KB
/
deptrust.py
File metadata and controls
693 lines (608 loc) · 26.1 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
#!/usr/bin/env python3
"""
deptrust — Dependency Trust Scanner
Scans Python dependency files (requirements.txt, pyproject.toml) and scores
each package on trust signals to catch slopsquatting, typosquatting, and
suspicious dependencies before you install them.
Trust signals checked:
- Existence: Does the package actually exist on PyPI?
- Age: How long has it been on PyPI?
- Downloads: Monthly download count
- Maintainers: Number of package maintainers
- Name similarity: Edit distance to popular packages (typosquatting)
- Repository: Does it link to a source repo?
- Description: Does it have a meaningful description?
- Version history: Number of releases (maturity signal)
Zero dependencies — stdlib only.
"""
from __future__ import annotations
import argparse
import json
import os
import re
import sys
import urllib.request
import urllib.error
from concurrent.futures import ThreadPoolExecutor, as_completed
from dataclasses import dataclass, field, asdict
from datetime import datetime, timezone
from pathlib import Path
from typing import Optional
__version__ = "0.1.0"
# ── Popular packages (top 200 by downloads) for typosquatting detection ──
# This is a curated subset; catches the most common squatting targets.
POPULAR_PACKAGES = [
"boto3", "botocore", "urllib3", "requests", "setuptools", "certifi",
"charset-normalizer", "idna", "python-dateutil", "typing-extensions",
"s3transfer", "pip", "pyyaml", "numpy", "packaging", "aiobotocore",
"jmespath", "six", "wheel", "cryptography", "cffi", "pycparser",
"attrs", "platformdirs", "colorama", "jinja2", "markupsafe", "pyasn1",
"pyjwt", "rsa", "pillow", "grpcio", "pandas", "scipy", "protobuf",
"google-api-core", "googleapis-common-protos", "pytz", "click",
"decorator", "wrapt", "importlib-metadata", "zipp", "tomli",
"filelock", "pluggy", "virtualenv", "pyarrow", "fsspec", "aiohttp",
"multidict", "yarl", "frozenlist", "aiosignal", "soupsieve",
"beautifulsoup4", "lxml", "chardet", "tqdm", "openpyxl", "flask",
"werkzeug", "itsdangerous", "pygments", "jsonschema", "pydantic",
"docutils", "babel", "more-itertools", "psutil", "scikit-learn",
"matplotlib", "sqlalchemy", "greenlet", "httpx", "httpcore",
"anyio", "sniffio", "h11", "rich", "markdown-it-py", "mdurl",
"pymysql", "psycopg2", "redis", "celery", "django", "fastapi",
"uvicorn", "starlette", "gunicorn", "tornado", "paramiko",
"pytest", "coverage", "mypy", "black", "isort", "flake8",
"pylint", "bandit", "pre-commit", "sphinx", "mkdocs",
"transformers", "torch", "tensorflow", "keras", "langchain",
"openai", "anthropic", "tiktoken", "tokenizers", "huggingface-hub",
"docker", "kubernetes", "ansible", "fabric", "invoke",
"httplib2", "google-auth", "cachetools", "oauthlib",
"requests-oauthlib", "pyopenssl", "regex", "networkx",
"pynacl", "bcrypt", "arrow", "pendulum", "toml",
]
def levenshtein(s1: str, s2: str) -> int:
"""Compute Levenshtein edit distance between two strings."""
if len(s1) < len(s2):
return levenshtein(s2, s1)
if len(s2) == 0:
return len(s1)
prev = range(len(s2) + 1)
for i, c1 in enumerate(s1):
curr = [i + 1]
for j, c2 in enumerate(s2):
cost = 0 if c1 == c2 else 1
curr.append(min(curr[j] + 1, prev[j + 1] + 1, prev[j] + cost))
prev = curr
return prev[len(s2)]
def normalize_name(name: str) -> str:
"""Normalize package name per PEP 503."""
return re.sub(r"[-_.]+", "-", name).lower()
# ── Data structures ──
@dataclass
class TrustSignal:
name: str
value: str
score: int # 0–100 contribution
weight: float # importance multiplier
detail: str = ""
@dataclass
class PackageReport:
name: str
normalized: str
exists: bool = False
trust_score: float = 0.0
risk_level: str = "UNKNOWN" # TRUSTED, CAUTION, WARNING, DANGER, NOT_FOUND
signals: list[TrustSignal] = field(default_factory=list)
similar_to: str = ""
error: str = ""
# Raw metadata
summary: str = ""
version: str = ""
author: str = ""
home_page: str = ""
releases_count: int = 0
first_release: str = ""
latest_release: str = ""
maintainers: int = 0
def fetch_pypi_metadata(package_name: str, timeout: int = 10) -> Optional[dict]:
"""Fetch package metadata from PyPI JSON API."""
url = f"https://pypi.org/pypi/{package_name}/json"
req = urllib.request.Request(url, headers={"Accept": "application/json"})
try:
with urllib.request.urlopen(req, timeout=timeout) as resp:
return json.loads(resp.read().decode())
except urllib.error.HTTPError as e:
if e.code == 404:
return None
raise
except (urllib.error.URLError, TimeoutError):
return None
def fetch_download_stats(package_name: str, timeout: int = 10) -> Optional[int]:
"""Fetch recent download count from PyPI Stats API (pepy.tech fallback: pypistats)."""
# Use pypistats.org API (no auth needed for basic stats)
url = f"https://pypistats.org/api/packages/{package_name}/recent"
req = urllib.request.Request(url, headers={"Accept": "application/json"})
try:
with urllib.request.urlopen(req, timeout=timeout) as resp:
data = json.loads(resp.read().decode())
return data.get("data", {}).get("last_month")
except (urllib.error.HTTPError, urllib.error.URLError, TimeoutError):
return None
def check_name_similarity(name: str) -> tuple[str, int]:
"""Check if package name is suspiciously similar to a popular package.
Returns (closest_match, edit_distance).
"""
norm = normalize_name(name)
best_match = ""
best_dist = 999
for popular in POPULAR_PACKAGES:
pop_norm = normalize_name(popular)
if norm == pop_norm:
return popular, 0 # exact match — it IS the popular package
dist = levenshtein(norm, pop_norm)
if dist < best_dist:
best_dist = dist
best_match = popular
return best_match, best_dist
def analyze_package(name: str, timeout: int = 10) -> PackageReport:
"""Analyze a single package and produce a trust report."""
report = PackageReport(name=name, normalized=normalize_name(name))
signals: list[TrustSignal] = []
# 1. Check existence on PyPI
meta = fetch_pypi_metadata(name, timeout=timeout)
if meta is None:
report.exists = False
report.risk_level = "NOT_FOUND"
report.trust_score = 0.0
report.signals = [TrustSignal(
name="existence",
value="NOT FOUND",
score=0,
weight=1.0,
detail=f"Package '{name}' does not exist on PyPI. "
"This may be a hallucinated package name from an AI assistant."
)]
# Still check name similarity for context
closest, dist = check_name_similarity(name)
if 0 < dist <= 2:
report.similar_to = closest
report.signals.append(TrustSignal(
name="name_similarity",
value=f"edit distance {dist} from '{closest}'",
score=0,
weight=0.5,
detail=f"Name is very similar to popular package '{closest}'. "
"Could be a typo or slopsquatting target."
))
return report
report.exists = True
info = meta.get("info", {})
releases = meta.get("releases", {})
# Store metadata
report.summary = info.get("summary", "") or ""
report.version = info.get("version", "") or ""
report.author = info.get("author", "") or info.get("author_email", "") or ""
report.home_page = (info.get("home_page", "") or
info.get("project_url", "") or
info.get("package_url", "") or "")
report.releases_count = len(releases)
# Parse project URLs for repo link
project_urls = info.get("project_urls") or {}
repo_url = ""
repo_hosts = ("github.com", "gitlab.com", "bitbucket.org", "codeberg.org", "sr.ht")
# Check explicit project URL keys first
for key in ("Source", "Repository", "Source Code", "GitHub", "Homepage", "Code",
"Source code", "source", "repository", "Bug Tracker"):
val = project_urls.get(key, "")
if val and any(h in val for h in repo_hosts):
repo_url = val
break
# Fallback: check any project URL value
if not repo_url:
for val in project_urls.values():
if val and any(h in val for h in repo_hosts):
repo_url = val
break
# Last resort: home_page
if not repo_url:
hp = info.get("home_page", "") or ""
if hp and any(h in hp for h in repo_hosts):
repo_url = hp
report.home_page = hp
# Parse release dates
release_dates = []
for ver, files in releases.items():
for f in files:
upload = f.get("upload_time_iso_8601") or f.get("upload_time")
if upload:
try:
dt = datetime.fromisoformat(upload.replace("Z", "+00:00"))
release_dates.append(dt)
except (ValueError, TypeError):
pass
break # one date per version is enough
if release_dates:
release_dates.sort()
report.first_release = release_dates[0].strftime("%Y-%m-%d")
report.latest_release = release_dates[-1].strftime("%Y-%m-%d")
# ── Score each trust signal ──
# Signal 1: Age (days since first release)
age_days = 0
if release_dates:
age_days = (datetime.now(timezone.utc) - release_dates[0]).days
if age_days >= 730: # 2+ years
age_score = 100
age_detail = f"Package is {age_days} days old (well-established)"
elif age_days >= 365:
age_score = 75
age_detail = f"Package is {age_days} days old (established)"
elif age_days >= 90:
age_score = 50
age_detail = f"Package is {age_days} days old (relatively new)"
elif age_days >= 30:
age_score = 25
age_detail = f"Package is {age_days} days old (new)"
else:
age_score = 5
age_detail = f"Package is {age_days} days old (very new — suspicious)"
signals.append(TrustSignal("age", f"{age_days} days", age_score, 0.20, age_detail))
# Signal 2: Downloads (monthly)
downloads = fetch_download_stats(name, timeout=timeout)
if downloads is not None:
if downloads >= 1_000_000:
dl_score = 100
dl_detail = f"{downloads:,} monthly downloads (very popular)"
elif downloads >= 100_000:
dl_score = 85
dl_detail = f"{downloads:,} monthly downloads (popular)"
elif downloads >= 10_000:
dl_score = 65
dl_detail = f"{downloads:,} monthly downloads (moderate)"
elif downloads >= 1_000:
dl_score = 40
dl_detail = f"{downloads:,} monthly downloads (low)"
elif downloads >= 100:
dl_score = 20
dl_detail = f"{downloads:,} monthly downloads (very low)"
else:
dl_score = 5
dl_detail = f"{downloads:,} monthly downloads (negligible — suspicious)"
signals.append(TrustSignal("downloads", f"{downloads:,}/month", dl_score, 0.25, dl_detail))
else:
# If we can't fetch stats but it's a known popular package, give benefit of doubt
norm = normalize_name(name)
if any(normalize_name(p) == norm for p in POPULAR_PACKAGES):
signals.append(TrustSignal("downloads", "unknown (popular)", 80, 0.25,
"Could not fetch download stats, but package is in popular list"))
else:
signals.append(TrustSignal("downloads", "unknown", 30, 0.25,
"Could not fetch download stats"))
# Signal 3: Release count (maturity)
rc = report.releases_count
if rc >= 20:
rc_score = 100
rc_detail = f"{rc} releases (mature)"
elif rc >= 10:
rc_score = 75
rc_detail = f"{rc} releases (active development)"
elif rc >= 5:
rc_score = 50
rc_detail = f"{rc} releases (some history)"
elif rc >= 2:
rc_score = 25
rc_detail = f"{rc} releases (minimal history)"
else:
rc_score = 10
rc_detail = f"{rc} release(s) (very minimal — suspicious)"
signals.append(TrustSignal("releases", str(rc), rc_score, 0.10, rc_detail))
# Signal 4: Description quality
desc = report.summary.strip()
if len(desc) >= 50:
desc_score = 100
desc_detail = "Has a meaningful description"
elif len(desc) >= 20:
desc_score = 60
desc_detail = "Has a short description"
elif len(desc) > 0:
desc_score = 30
desc_detail = "Has a minimal description"
else:
desc_score = 5
desc_detail = "No description — suspicious"
signals.append(TrustSignal("description", desc[:80] if desc else "(empty)", desc_score, 0.05, desc_detail))
# Signal 5: Source repository
if repo_url:
repo_score = 100
repo_detail = f"Links to source repository: {repo_url}"
elif report.home_page:
repo_score = 40
repo_detail = f"Has homepage but no source repo link: {report.home_page}"
else:
repo_score = 10
repo_detail = "No source repository or homepage — suspicious"
signals.append(TrustSignal("repository", repo_url or "(none)", repo_score, 0.15, repo_detail))
# Signal 6: Name similarity to popular packages (typosquatting / slopsquatting)
closest, dist = check_name_similarity(name)
if dist == 0:
# IS a popular package
sim_score = 100
sim_detail = f"This IS the well-known package '{closest}'"
elif dist == 1:
sim_score = 10
sim_detail = f"Name is 1 edit away from popular package '{closest}' — possible typosquat!"
report.similar_to = closest
elif dist == 2:
sim_score = 30
sim_detail = f"Name is 2 edits from popular package '{closest}' — check carefully"
report.similar_to = closest
else:
sim_score = 80
sim_detail = f"Name is not confusable with popular packages (closest: '{closest}', distance: {dist})"
signals.append(TrustSignal("name_similarity", f"dist={dist} from '{closest}'", sim_score, 0.15, sim_detail))
# Signal 7: Recent activity (days since last release)
if release_dates:
days_since = (datetime.now(timezone.utc) - release_dates[-1]).days
if days_since <= 90:
act_score = 100
act_detail = f"Last release {days_since} days ago (actively maintained)"
elif days_since <= 365:
act_score = 70
act_detail = f"Last release {days_since} days ago (maintained)"
elif days_since <= 730:
act_score = 40
act_detail = f"Last release {days_since} days ago (possibly stale)"
else:
act_score = 15
act_detail = f"Last release {days_since} days ago (likely abandoned)"
signals.append(TrustSignal("activity", f"{days_since} days since last release", act_score, 0.10, act_detail))
else:
signals.append(TrustSignal("activity", "unknown", 30, 0.10, "Could not determine release activity"))
# ── Compute weighted trust score ──
total_weight = sum(s.weight for s in signals)
weighted_sum = sum(s.score * s.weight for s in signals)
report.trust_score = round(weighted_sum / total_weight, 1) if total_weight > 0 else 0
report.signals = signals
# ── Assign risk level ──
if report.trust_score >= 80:
report.risk_level = "TRUSTED"
elif report.trust_score >= 60:
report.risk_level = "CAUTION"
elif report.trust_score >= 40:
report.risk_level = "WARNING"
else:
report.risk_level = "DANGER"
return report
# ── Dependency file parsers ──
def parse_requirements_txt(path: Path) -> list[str]:
"""Parse package names from requirements.txt."""
packages = []
for line in path.read_text().splitlines():
line = line.strip()
if not line or line.startswith("#") or line.startswith("-"):
continue
# Handle: package==1.0, package>=1.0, package[extra], package @ url
match = re.match(r"^([A-Za-z0-9][\w.\-]*)", line)
if match:
packages.append(match.group(1))
return packages
def parse_pyproject_toml(path: Path) -> list[str]:
"""Parse package names from pyproject.toml dependencies."""
packages = []
content = path.read_text()
# Simple parser: find lines in [project] dependencies or [tool.poetry.dependencies]
in_deps = False
for line in content.splitlines():
stripped = line.strip()
if stripped in ("[project]", "[tool.poetry.dependencies]"):
in_deps = False
if "dependencies" in stripped and "=" in stripped:
# Inline list: dependencies = ["package1", "package2>=1.0"]
bracket_match = re.findall(r'"([^"]+)"', stripped)
for dep in bracket_match:
m = re.match(r"^([A-Za-z0-9][\w.\-]*)", dep)
if m:
packages.append(m.group(1))
if "[" in stripped and "]" not in stripped:
in_deps = True
continue
if in_deps:
if stripped.startswith("]"):
in_deps = False
continue
bracket_match = re.findall(r'"([^"]+)"', stripped)
for dep in bracket_match:
m = re.match(r"^([A-Za-z0-9][\w.\-]*)", dep)
if m:
packages.append(m.group(1))
# poetry style: package = "^1.0" or package = {version = "..."}
if "=" in stripped and not stripped.startswith("#") and not stripped.startswith("["):
m = re.match(r'^([A-Za-z0-9][\w.\-]*)\s*=', stripped)
if m and m.group(1).lower() != "python":
packages.append(m.group(1))
return packages
def detect_and_parse(path: Path) -> list[str]:
"""Auto-detect file type and parse package names."""
name = path.name.lower()
if name == "pyproject.toml":
return parse_pyproject_toml(path)
elif name in ("requirements.txt", "requirements-dev.txt", "requirements_dev.txt") or name.startswith("requirements"):
return parse_requirements_txt(path)
else:
# Try requirements.txt format by default
return parse_requirements_txt(path)
# ── Output formatting ──
RISK_COLORS = {
"TRUSTED": "\033[92m", # green
"CAUTION": "\033[93m", # yellow
"WARNING": "\033[91m", # red
"DANGER": "\033[1;91m", # bold red
"NOT_FOUND": "\033[1;95m", # bold magenta
"UNKNOWN": "\033[90m", # gray
}
RESET = "\033[0m"
BOLD = "\033[1m"
RISK_ICONS = {
"TRUSTED": "✅",
"CAUTION": "⚠️ ",
"WARNING": "🔶",
"DANGER": "🚨",
"NOT_FOUND": "❌",
"UNKNOWN": "❓",
}
def format_report_text(reports: list[PackageReport], verbose: bool = False, color: bool = True) -> str:
"""Format reports as human-readable text."""
lines = []
c = RISK_COLORS if color else {k: "" for k in RISK_COLORS}
r = RESET if color else ""
b = BOLD if color else ""
lines.append(f"\n{b}deptrust v{__version__} — Dependency Trust Scanner{r}")
lines.append(f"{'─' * 60}")
# Summary counts
counts = {}
for rpt in reports:
counts[rpt.risk_level] = counts.get(rpt.risk_level, 0) + 1
summary_parts = []
for level in ("TRUSTED", "CAUTION", "WARNING", "DANGER", "NOT_FOUND"):
if level in counts:
icon = RISK_ICONS.get(level, "")
summary_parts.append(f"{icon} {counts[level]} {level}")
lines.append(f" {' │ '.join(summary_parts)}")
lines.append(f"{'─' * 60}\n")
# Sort: NOT_FOUND and DANGER first
priority = {"NOT_FOUND": 0, "DANGER": 1, "WARNING": 2, "CAUTION": 3, "TRUSTED": 4, "UNKNOWN": 5}
sorted_reports = sorted(reports, key=lambda r: (priority.get(r.risk_level, 5), -r.trust_score))
for rpt in sorted_reports:
icon = RISK_ICONS.get(rpt.risk_level, "❓")
clr = c.get(rpt.risk_level, "")
score_str = f"{rpt.trust_score:.0f}/100" if rpt.exists else "N/A"
lines.append(f" {icon} {b}{rpt.name}{r} {clr}{rpt.risk_level}{r} ({score_str})")
if rpt.similar_to:
lines.append(f" ↳ Similar to popular package: {b}{rpt.similar_to}{r}")
if not rpt.exists:
lines.append(f" ↳ Package does NOT exist on PyPI!")
if rpt.similar_to:
lines.append(f" ↳ Did you mean '{rpt.similar_to}'?")
if verbose and rpt.signals:
for sig in rpt.signals:
bar = "█" * (sig.score // 10) + "░" * (10 - sig.score // 10)
lines.append(f" {sig.name:20s} [{bar}] {sig.score:3d} {sig.detail}")
lines.append("")
# Footer
danger_count = counts.get("DANGER", 0) + counts.get("NOT_FOUND", 0)
if danger_count > 0:
lines.append(f"{c['DANGER']}⚠ {danger_count} package(s) need immediate attention!{r}")
elif counts.get("WARNING", 0) > 0:
lines.append(f"{c['WARNING']}⚠ {counts['WARNING']} package(s) flagged for review.{r}")
else:
lines.append(f"{c['TRUSTED']}✓ All packages look trustworthy.{r}")
lines.append("")
return "\n".join(lines)
def format_report_json(reports: list[PackageReport]) -> str:
"""Format reports as JSON."""
output = []
for rpt in reports:
d = {
"name": rpt.name,
"normalized": rpt.normalized,
"exists": rpt.exists,
"trust_score": rpt.trust_score,
"risk_level": rpt.risk_level,
"similar_to": rpt.similar_to,
"summary": rpt.summary,
"version": rpt.version,
"releases_count": rpt.releases_count,
"first_release": rpt.first_release,
"latest_release": rpt.latest_release,
"signals": [
{"name": s.name, "score": s.score, "weight": s.weight, "detail": s.detail}
for s in rpt.signals
],
}
output.append(d)
return json.dumps({"version": __version__, "packages": output}, indent=2)
# ── CLI ──
def main():
parser = argparse.ArgumentParser(
prog="deptrust",
description="Scan Python dependencies for trust signals. Catch slopsquatting before you install.",
formatter_class=argparse.RawDescriptionHelpFormatter,
epilog="""
Examples:
deptrust requirements.txt # Scan a requirements file
deptrust pyproject.toml # Scan pyproject.toml
deptrust -p requests flask boto3 # Check specific packages
deptrust requirements.txt -v # Verbose: show all trust signals
deptrust requirements.txt --json # JSON output for CI
deptrust requirements.txt --min-score 60 # Fail if any package scores below 60
""",
)
parser.add_argument("files", nargs="*", help="Dependency files to scan (requirements.txt, pyproject.toml)")
parser.add_argument("-p", "--packages", nargs="+", help="Check specific package names directly")
parser.add_argument("-v", "--verbose", action="store_true", help="Show detailed trust signals")
parser.add_argument("--json", dest="json_output", action="store_true", help="Output as JSON")
parser.add_argument("--no-color", action="store_true", help="Disable colored output")
parser.add_argument("--min-score", type=float, default=0, help="Exit 1 if any package scores below this (CI mode)")
parser.add_argument("--timeout", type=int, default=10, help="HTTP timeout in seconds (default: 10)")
parser.add_argument("--workers", type=int, default=8, help="Concurrent API requests (default: 8)")
parser.add_argument("--version", action="version", version=f"deptrust {__version__}")
args = parser.parse_args()
# Collect package names
packages: list[str] = []
if args.packages:
packages.extend(args.packages)
if args.files:
for fpath in args.files:
p = Path(fpath)
if not p.exists():
print(f"Error: File not found: {fpath}", file=sys.stderr)
sys.exit(1)
parsed = detect_and_parse(p)
if not parsed:
print(f"Warning: No packages found in {fpath}", file=sys.stderr)
packages.extend(parsed)
if not packages:
parser.print_help()
sys.exit(0)
# Deduplicate while preserving order
seen = set()
unique = []
for pkg in packages:
norm = normalize_name(pkg)
if norm not in seen:
seen.add(norm)
unique.append(pkg)
packages = unique
# Analyze packages concurrently
reports: list[PackageReport] = []
if not args.json_output:
print(f"\nScanning {len(packages)} package(s)...\n", file=sys.stderr)
with ThreadPoolExecutor(max_workers=args.workers) as pool:
futures = {pool.submit(analyze_package, pkg, args.timeout): pkg for pkg in packages}
for future in as_completed(futures):
pkg = futures[future]
try:
report = future.result()
reports.append(report)
except Exception as e:
rpt = PackageReport(name=pkg, normalized=normalize_name(pkg), error=str(e))
reports.append(rpt)
# Sort by original order
pkg_order = {name: i for i, name in enumerate(packages)}
reports.sort(key=lambda r: pkg_order.get(r.name, 999))
# Output
if args.json_output:
print(format_report_json(reports))
else:
color = not args.no_color and sys.stdout.isatty()
print(format_report_text(reports, verbose=args.verbose, color=color))
# CI mode: exit 1 if any package below threshold
if args.min_score > 0:
failed = [r for r in reports if r.trust_score < args.min_score or not r.exists]
if failed:
if not args.json_output:
print(f"FAILED: {len(failed)} package(s) below trust score {args.min_score}", file=sys.stderr)
sys.exit(1)
# Also exit 1 if any NOT_FOUND
not_found = [r for r in reports if not r.exists]
if not_found:
sys.exit(1)
if __name__ == "__main__":
main()