Alias "pip install" to "guarddog"

[christophetd]

Just a random idea I had:

As a: developer I want to: automatically run pysecurity on every package I install and that: the installation fails if the package is dangerous so that: I don't install malicious packages

The idea would be to document a way to have an alias that runs pysecurity, then pip install, and fails if the package is deemed "risky".

Sample usage:

$ securepip install mypackage
Scanning mypackage with pysecurity...
No malicious behavior found, proceeding with pip install

Implementation: the easiest would be to provide a bash function one could add to their .bashrc

[quantumpacket]

How would we get this to work with different package managers like Poetry? According to what I could find Poetry adds extra args when running pip commands, which could break if an alias was added for pip without the proper args.

---

This was what I plan on doing for Poetry:

1. Run poetry lock to generate a lock file without installing.
2. Run poetry export -o requirements.txt to convert lockfile format.
3. Run pip download -r requirements.txt to download the locked packages.
4. Scan each package with GuardDog and do stuff...
5. If all is good then run pip install <package-file-path> for each downloaded package.

If I'm correct, this should scan all packages that would be installed for a project including any dependency? We don't want to just scan an individual package, but also any dependency it installs.

Something similar could be used for the alias as you suggest using steps 3-5.

[christophetd]

Another way would be to have a "proxy command" directly in GuardDog that emulates the right behavior, e.g. guarddog poetry xxx and guarddog pip install

[andrewkrug]

+1 for adding direct support for the discovery and parsing of manifests that aren't just requirements.txt (like Poetry)

[vdeturckheim]

For reference, Socket security just released a similar thing for npm. I really really like the concept here!