AI-powered security scanning for Python packages
Catch typosquatting, malicious code, and supply chain attacks before they reach your environment.
depsec sits between you and pip, analyzing every package before it touches your system.
Uses pip's dependency resolver to map the full dependency tree, catching every transitive dependency.
3-tier analysis pipeline: heuristic checks, AST scanning of source code, then AI review for flagged packages.
Only installs packages that pass all security checks. Blocked packages are reported, never installed.
From simple typos to sophisticated supply chain attacks, depsec has you covered.
Detects packages with names similar to popular packages, like reqeusts vs requests.
AST analysis flags suspicious patterns in setup.py: exec(), eval(), subprocess calls, and network access.
Queries the OSV database for known CVEs affecting the package and its resolved version.
Detects base64 encoding, eval chains, and other techniques used to hide malicious behavior.
Flags brand-new packages, packages with no homepage, and single-maintainer projects.
When a package gets flagged by heuristics or AST scanning, depsec sends the relevant code to an LLM for deeper analysis. The AI reviews the code for patterns that rule-based systems miss.
Not every package triggers AI review — only those that raise initial suspicion. This keeps scans fast while ensuring thorough analysis where it matters.
Install depsec and start scanning. Drop-in replacement for pip install.