.. image:: https://cdn.sourcecode.ai/imgs/logotype.png :target: https://aura.sourcecode.ai/
======
.. class:: center
|homepage_flair| |docs_flair| |docker_flair|
|license_flair| |travis_flair| |pypi_flair|
Aura is a static analysis framework developed as a response to the ever-increasing threat of malicious packages and vulnerable code published on PyPI.
Project goals:
Feature list:
Didn't find what you are looking for? Aura's architecture is based on a robust plugin system, where you can customize almost anything, ranging from a set of data analyzers, transport protocols to custom out formats.
::
# Via pip:
pip install aura-security[full]
# or build from source/git
poetry install --no-dev -E full
Or just use a prebuild docker image sourcecodeai/aura:dev
::
docker run -ti --rm sourcecodeai/aura:dev scan pypi://requests -v
Aura uses a so-called URIs to identify the protocol and location to scan, if no protocol is used, the scan argument is treated as a path to the file or directory on a local system.
.. image:: files/imgs/aura_scan.png
Diff packages::
docker run -ti --rm sourcecodeai/aura:dev diff pypi://requests pypi://requests2
.. image:: docs/source/_static/imgs/aura_diff.png
Find most popular typosquatted packages (you need to call aura update
to download the dataset first)::
aura find-typosquatting --max-distance 2 --limit 10
.. image:: https://asciinema.org/a/367999.svg :target: https://asciinema.org/a/367999
.. image:: files/imgs/download_dataset.png :target: https://cdn.sourcecode.ai/pypi_datasets/index/datasets.html :align: center :width: 256
While there are other tools with functionality that overlaps with Aura such as Bandit, dlint, semgrep etc. the focus of these alternatives is different which impacts the functionality and how they are being used. These alternatives are mainly intended to be used in a similar way to linters, integrated into IDEs, frequently run during the development which makes it important to minimize false positives and reporting with clear actionable explanations in ideal cases.
Aura on the other hand reports on behavior of the code, anomalies, and vulnerabilities with as much information as possible at the cost of false positive. There are a lot of things reported by aura that are not necessarily actionable by a user but they tell you a lot about the behavior of the code such as doing network communication, accessing sensitive files, or using mechanisms associated with obfuscation indicating a possible malicious code. By collecting this kind of data and aggregating it together, Aura can be compared in functionality to other security systems such as antivirus, IDS, or firewalls that are essentially doing the same analysis but on a different kind of data (network communication, running processes, etc).
Here is a quick overview of differences between Aura and other similar linters and SAST tools:
# nosec
that will suppress the alert at that positionAura framework is licensed under the GPL-3.0. Datasets produced from global scans using Aura are released under the CC BY-NC 4.0 license. Use the following citation when using Aura or data produced by Aura in research:
::
@misc{Carnogursky2019thesis,
AUTHOR = "CARNOGURSKY, Martin",
TITLE = "Attacks on package managers [online]",
YEAR = "2019 [cit. 2020-11-02]",
TYPE = "Bachelor Thesis",
SCHOOL = "Masaryk University, Faculty of Informatics, Brno",
SUPERVISOR = "Vit Bukac",
URL = "Available at WWW <https://is.muni.cz/th/y41ft/>",
}
.. |homepage_flair| image:: https://img.shields.io/badge/Homepage-aura.sourcecode.ai-blue :target: https://aura.sourcecode.ai/ :align: middle
.. |docs_flair| image:: https://img.shields.io/badge/-Documentation-blue :target: https://docs.aura.sourcecode.ai/ :align: middle
.. |docker_flair| image:: https://img.shields.io/badge/docker-SourceCodeAI/aura-blue :target: https://hub.docker.com/r/sourcecodeai/aura :align: middle
.. |license_flair| image:: https://img.shields.io/github/license/SourceCode-AI/aura?color=blue
.. |travis_flair| image:: https://travis-ci.com/SourceCode-AI/aura.svg?branch=dev
.. |pypi_flair| image:: https://badge.fury.io/py/aura-security.svg :target: https://pypi.org/project/aura-security/ :align: middle