DepSentry is a high-performance Supply Chain Security tool designed for Blue Teams and DevSecOps.
Unlike standard auditors that only check for CVEs, DepSentry acts as a proactive middleware, analyzing packages for malware, obfuscation, and reputation issues before they are installed in your environment.
Detecting hidden malware and high-entropy payloads in seconds.
You don't need to install Rust. Download the ready-made executables for your OS from the Releases Page.
| OS | Method | File to Download | Instructions |
|---|---|---|---|
| Windows | Installer | DepSentry-Installer-x64.msi |
Recommended. Installs DepSentry and automatically adds it to your PATH. |
| Ubuntu / Debian | Package | DepSentry-Linux-x64.deb |
Install: sudo dpkg -i DepSentry-Linux-x64.deb |
| Linux (Arch/Other) | Archive | DepSentry-Linux-x64.tar.gz |
Extract and move binary to /usr/local/bin. |
If you prefer to compile it yourself, ensure you have Rust and Cargo installed.
# 1. Clone the repository
git clone https://github.com/swek09/depsentry.git
cd depsentry
# 2. Build in release mode (for maximum speed)
cargo build --release
# 3. The binary will be located at:
# Windows: ./target/release/depsentry.exe
# Linux/Mac: ./target/release/depsentryCombines database queries with real-time heuristic analysis:
- CVE Scanning: Instant verification against the Google OSV database.
- Malware Heuristics: Detects suspicious patterns (
eval,exec, shell injection, hardcoded IPs). - Entropy Analysis: Identifies packed or obfuscated code (Shannon Entropy > 7.5), a common indicator of hidden malware.
- Downloads and extracts packages to a temporary, isolated directory.
- Zero Footprint: Malicious code is never executed or installed on the host machine during analysis.
- Zip Slip Protection: Prevents path traversal attacks during extraction.
- Built with Rust for memory safety and speed.
- Parallel Processing: Powered by
RayonandTokio, DepSentry analyzes thousands of files simultaneously, utilizing all CPU cores.
- Typosquatting Detection: Warns if a package name mimics popular libraries (e.g.,
reactvsreacct). - Reputation Check: Flags packages that are dangerously new (< 7 days old).
Analyze a remote package without installing it. Useful for quick vetting.
# Auto-detect ecosystem (NPM/PyPI)
depsentry check axios
# Specify version and type explicitly
depsentry check requests --version 2.31.0 --type pip
Scan an entire manifest (package.json) in the current directory. This mode is designed for CI/CD pipelines as a Quality Gate.
# Run in the root of your project
depsentry scan
Output Example:
Risk Score: 100 (CRITICAL)
+----------+----------+-------------------------------------+
| Severity | Category | Description |
+----------+----------+-------------------------------------+
| HIGH | CVE | GHSA-4hjh: Axios vulnerable to DoS |
| HIGH | Malware | Suspicious entropy in dist/index.js |
+----------+----------+-------------------------------------+
DepSentry follows a modular "Pipeline" architecture:
- CLI Parser (
clap): Handles user input and flags. - Fetcher Module (
reqwest): Asynchronously downloads metadata and tarballs from NPM/PyPI registries. - Sandbox Manager: Creates secure temporary directories (
tempfile). - Analysis Engine (
rayon):
- Static Analyzer: Regex-based signature matching.
- Entropy Calculator: Shannon entropy math.
- OSV Client: API queries for vulnerabilities.
- Reporter: Aggregates results into a Risk Score (0-100) and renders the report.
Copyright 2026 Mikhail Grishak.
Licensed under the Apache License, Version 2.0.
See LICENSE file for more details.