Open Source Packages

PyGarde

pygarde
PyPISecurityFeaturedv1.0.1MIT

🐍 PYGARDE (`pyw`) — Python Supply Chain Security Guardian. Scans, audits, and hardens your Python package ecosystem against supply-chain attacks before malicious code ever runs.

Published Apr 2026
Updated Apr 2026

Installation

$pipx install pygarde
$pip install pygarde

Why it exists

Python's pip install is notoriously permissive: install scripts run with full user privileges, there's no built-in malware scanning, and typosquatting attacks (PyPI has had dozens of high-profile incidents) can silently install malicious packages. PyGarde was built to be the security gate that `pip` doesn't have — scan before you install, harden your pip.conf, and catch supply-chain attacks before they execute. It's the Python sibling of PkgWarden, built with the same philosophy but tailored to pip, Poetry, uv, and pipenv workflows.

Features

🚦Pre-Install Security Gate

Replace `pip install` with `pyw install`. PyGarde downloads the package, scans it for threats, and only proceeds with installation if it passes. Configurable severity threshold — block on `medium` or only on `critical`.

🔭Deep Package Scanner

Static-scan any PyPI package without touching your environment. Detects eval/exec patterns, subprocess with shell=True, base64-decoded payloads, hidden Unicode characters (Trojan Source CVE-2021-42574), and outbound HTTP to suspicious hosts.

🛡️RC Hardening

Analyzes and patches your pip.conf, poetry.toml, or uv.toml. Enforces `require-hashes`, removes dangerous `trusted-host` entries, and pins the registry URL. Three hardening levels: minimal, recommended, strict.

🔀Version Diff Scanner

Compare two versions of a package and scan only the code that changed. Catches injected malicious code that appears in a minor bump — a common supply-chain attack vector.

📋Dependency Audit

Audit all project dependencies against known CVEs via pip-audit. With `--deep`, downloads and static-scans every dependency's source for non-CVE threats.

🩺Security Health Check

The `pyw doctor` command gives your project a security posture score (0–100%) across lockfile presence, RC hardening, detection rules coverage, and allowlist hygiene.

Highlights

  • Scans any PyPI package without installing it — download, analyze, discard
  • Intercepts `pip install` with a security gate: `pyw install requests`
  • Detects 7 threat categories: install scripts, network access, code execution, obfuscation, data exfiltration, hidden chars, typosquatting
  • Hardens pip.conf, poetry.toml, and uv.toml to prevent MITM and registry substitution
  • Supports pip, Poetry, uv, pipenv, pdm, and conda
  • Health check command (`pyw doctor`) scores your project security posture 0–100
securityclipippoetryuvsupply-chainpythonaudit

References & Links

GitHub Repository
Source code, issues, and full documentation
PyPI Project Page
Official PyPI listing with release history
PkgWarden — npm counterpart
The same security philosophy for Node.js / npm ecosystems
Trojan Source — CVE-2021-42574
The Unicode bidirectional control character attack PyGarde detects
OWASP Software Supply Chain Security
OWASP standards that inspired PyGarde's detection ruleset

Related Packages

npm
pkgwarden
PkgWarden

⊙ PKGWARDEN — Package Guardian with Auditing, Reporting & Detection. A security audit layer for Node.js package managers that scans, reports, and hardens your dependency supply chain.

v1.1.0