Skip to content

v1.0.0
Compare
Choose a tag to compare
@christophetd christophetd released this 09 Feb 13:02
· 660 commits to main since this release
v1.0.0
f188e6a
This commit was created on GitHub.com and signed with GitHub’s verified signature. The key has expired.
GPG key ID: 4AEE18F83AFDEB23
Expired
Learn about vigilant mode.

This is a new major version with breaking changes.

What's Changed

Breaking changes:

  • The commands guarddog scan and guarddog verify have been deprecated and will be removed in an upcoming version. Use guarddog pypi scan and guarddog pypi verify instead

New features:

  • Added support for scanning npm packages (guarddog npm scan) and package.json (guarddog npm verify)
  • Support SARIF output to allow for easy use with GitHub Code Scanning
  • Added commands guarddog pypi list-rules and guarddog npm list-rules
  • Support verbose debugging output through guarddog --log-level debug ...

New heuristics:

  • New Python heuristic silent-process-execution to identify packages silently executing processes, similar to the Pytorch attack
  • New PyPI metadata heuristic: repository_integrity_mismatch compares the contents of a package on PyPI with its contents on GitHub, and flags packages that have extraneous or modified files not reflected on GitHub
  • New npm heuristic: typosquatting
  • New npm heuristic: detecting silent process execution
  • New npm heuristic: detecting post and pre-install hooks
  • New npm heuristic: detecting when a npm package serializes process.env

Cosmetics:

  • GuardDog now has an official logo!
  • README heuristics documentation is now automatically generated and injected in the README

Minor changes:

Full Changelog: v0.1.10...v1.0.0

Assets 2
Loading