Skip to content

mitre/hipcheck

Folders and files

NameName
Last commit message
Last commit date

Latest commit

8c176f2 · Dec 20, 2024
Jun 21, 2024
Sep 17, 2024
Dec 5, 2024
Nov 8, 2024
Dec 9, 2024
Dec 5, 2024
Dec 13, 2024
Dec 11, 2024
Dec 11, 2024
Dec 16, 2024
Dec 20, 2024
Sep 20, 2024
Dec 16, 2024
Dec 17, 2024
Dec 10, 2024
Dec 17, 2024
Sep 17, 2024
Jan 3, 2023
Sep 4, 2024
May 7, 2024
May 7, 2024
May 7, 2024
Dec 19, 2024
Dec 5, 2024
May 7, 2024
Dec 5, 2024
May 9, 2024
Dec 5, 2024

Repository files navigation

Hipcheck ✓

License: Apache-2.0 GitHub Release Hipcheck Website

Helping maintainers assess software packages for long term risk.

Managing the security risk of third-party software at scale is difficult. Normal projects can easily have hundreds of dependencies; far too many to review by hand.

Hipcheck is designed to help you filter that list of dependencies down to just a few that appear concerning, and to give you the information you need to make a security decision quickly.

Hipcheck is a command line interface (CLI) tool for analyzing open source software packages and source repositories to understand their software supply chain risk. It analyzes a project's software development practices and detects active supply chain attacks to give you both a long-term and immediate picture of the risk from using a package.

Very Quick Explanation

Hipcheck can analyze Git source repositories and open source packages from popular package hosts.

# Analyze Express, a popular JavaScript package for web servers, with the
# URL of its Git repository.
hc check https://github.com/expressjs/express

# Analyze urllib3 version 2.2.2, a popular URL-handling package hosted on PyPI.
hc check -t pypi urllib3@2.2.2

# Analyze the package described by an SPDX Software Bill of Materials.
hc check example-sbom.spdx.json

For more information, check out the Quickstart Guide.

Installation

See the Installation Instructions.

Values

Hipcheck's product values are to be:

  • Configurable: Hipcheck should be adaptable to the policies of its users.
  • Fast: Hipcheck should provide answers quickly.
  • Actionable: Hipcheck should empower users to make informed security decisions.

Read more about Hipcheck's product and project values in RFD #2.

License

Hipcheck's software is licensed under the Apache 2.0 license, which can be found in the LICENSE file in this repository.

Public Release

Note

Approved for Public Release; Distribution Unlimited. Public Release Case Number 22-2145.

Portions of this software were produced for the U.S. Government under Contract No. FA8702-19-C-0001, W56KGU-18-D-0004, and 70RSAT20D00000001 and is subject to the Rights in Noncommercial Computer Software and Noncommercial Computer Software Documentation Clause DFARS 252.227-7014 (FEB 2014).