There are several open-source tools available for security researchers. Now, GitLab has introduced a new one to the arsenal that lets you detect malicious code in dependencies.
The tool is also known as “Package Hunter” and is an important addition that could help secure every type of software.
What is Package Hunter?
Every software includes some form of dependencies, which makes it possible for a developer to quickly build an app.
While this facilitates the reuse of code to achieve the task, they often just “trust” the dependencies used without separate review.
Package Hunter comes to the rescue here and lets you easily detect malicious code in a dependency package.
Enhanching Software Supply Chain Security
Many supply chain attacks involve a compromised dependency package.
Normally, the attacker injects malicious code in the dependency code available to the public or creates a separate private repository to distribute the malicious dependency that looks safe.
Even if you are using a package manager to get trusted packages, it can be tricked to download packages from a private repository. And, you will have no idea about it.
Hence, with an additional check to the supply chain which is as convenient as Package Hunter, the software supply chain security should improve.
And, especially, if the open-source supply chain security improves, open source software security will gradually get a boost as well.
How Does it Work? How Can You Get it?
Package Hunter scans for malicious code and keeps an eye on unexpected behavior of the dependencies.
It installs the dependencies in a sandbox environment to monitor and detect any anomalies.
As of now, it supports testing NodeJS modules and Ruby Jems.
GitLab has been using the tool internally for a while. And, now, it seamlessly integrates with GitLab.
You can learn more about setting it up by referring to the official documentation and the Package Hunter CLI instructions.
It is available as a free and open-source project on GitLab.
What do you think about GitLab’s open-source tool to help detect malicious code? Feel free to share your thoughts in the comments below.
Here's why you should opt for It's FOSS Plus Membership
- Even the biggest players in the Linux world don't care about desktop Linux users. We do.
- We don't put content behind paywall. Your support keeps it open for everyone. Think of it like 'pay it forward'.
- Don't like ads? With the Plus membership, you get an ad-free reading experience.
- When millions of AI-generated content is being published daily, you read and learn from real human Linux users.
- It costs just $2 a month, less than the cost of your favorite burger.