README
ΒΆ
SecChain β Package Security Scanner
SecChain (cc) automatically scans packages in an isolated Docker sandbox before they touch your system.
Features
- Real CVE Detection - Queries OSV database for actual vulnerabilities
- Metadata Analysis - Package registry metadata anomaly detection
- Auto-Scan - Shell hooks for automatic package scanning
- Multi-Ecosystem - Support for Node.js, Python, Rust, Go, Ruby
- Multiple Formats - Table, JSON, and minimal output formats
Quick Start
Installation
Binary Installation (Recommended)
# Linux (AMD64)
curl -L -o secchain.tar.gz "https://github.com/YsfDev1/SecChain/releases/latest/download/secchain-linux-amd64.tar.gz"
tar -xzf secchain.tar.gz
chmod +x cc
sudo mv cc /usr/local/bin/
# macOS (Intel)
curl -L -o secchain.tar.gz "https://github.com/YsfDev1/SecChain/releases/latest/download/secchain-darwin-amd64.tar.gz"
tar -xzf secchain.tar.gz
chmod +x cc
sudo mv cc /usr/local/bin/
# Windows (AMD64)
powershell -Command "Invoke-WebRequest -Uri 'https://github.com/YsfDev1/SecChain/releases/latest/download/secchain-windows-amd64.zip' -OutFile 'secchain.zip'; Expand-Archive -Path 'secchain.zip' -DestinationPath '.'; Move-Item 'cc.exe' -Destination 'C:\Program Files\SecChain\'"
Go Install
go install github.com/YsfDev1/SecChain/cmd/secchain@latest
First Use
# Check system health
cc doctor
# Scan a package with known vulnerabilities
cc scan --pkg lodash --version 4.17.15 --ecosystem node
# Enable auto-scan for automatic protection
cc auto enable
# View configuration
cc config show
π Example Usage
CVE Scanning
# Scan a specific package
cc scan --pkg express --version 4.18.2 --ecosystem node
# Output:
# PACKAGE VERSION ECOSYSTEM SEVERITY LAYER REASON
# express 4.18.2 node LOW CVE CVE GHSA-qw6h-vgh9-j6wx: express vulnerable to XSS...
# Scan with JSON output
cc scan --pkg requests --version 2.28.1 --ecosystem python --format json
Auto-Scan Protection
# Enable automatic scanning
cc auto enable
# β
Auto-scan enabled
# Shell: zsh
# Config: /home/user/.zshrc
#
# π Restart your shell or run:
# source /home/user/.zshrc
# Check status
cc auto status
# SecChain Auto-Scan Status:
# Enabled: true
# Shell: zsh
# Config: /home/user/.zshrc
# Hooks: npm, pip, cargo, go, gem
Configuration Management
# View current configuration
cc config show
# Set strict mode
cc config set mode strict
# Set minimum severity to high
cc config set min_severity high
# Enable offline mode
cc config set offline true
ποΈ Architecture
graph TD
A[CLI Command] --> B[Scanning Pipeline]
B --> C[Dependency Resolver]
B --> D[CVE Scanner]
B --> E[Metadata Scanner]
C --> I[Package Registries]
D --> J[OSV API]
E --> I
B --> N[Output Formatter]
N --> O[Table/JSON/Minimal]
Documentation
- π Full Documentation
- π§ Configuration Guide
- π‘οΈ Security Policy
- π€ Contributing Guide
- π API Reference
Supported Ecosystems
| Ecosystem | Package Manager | Status |
|---|---|---|
| Node.js | npm, yarn | β Full |
| Python | pip, poetry | β Full |
| Rust | cargo | β Full |
| Go | go modules | β Full |
| Ruby | gem, bundler | β Full |
π§ Commands
| Command | Description |
|---|---|
cc scan |
Scan packages and projects |
cc doctor |
Check system health |
cc auto |
Manage auto-scan hooks |
cc config |
View and modify configuration |
cc report |
Show scan reports and history |
cc update-rules |
Update YARA rules and CVE cache |
cc version |
Show version information |
π οΈ Development
Prerequisites
- Go 1.21 or later
- Docker (optional, for sandbox scanning)
- Git
Setup
# Clone the repository
git clone https://github.com/YsfDev1/SecChain.git
cd SecChain
# Install dependencies
go mod tidy
# Build the project
go build -o secchain main.go
# Run tests
go test ./...
# Run integration tests
./test_real_scanning.sh
Project Structure
SecChain/
βββ cmd/ # CLI commands
βββ scanner/ # Core scanning logic
βββ config/ # Configuration management
βββ cache/ # Caching layer
βββ hooks/ # Shell hook management
βββ output/ # Output formatting
βββ rules/ # YARA rules (created on first use)
βββ docs/ # Documentation
βββ .github/ # GitHub workflows and templates
βββ scripts/ # Build and utility scripts
Contributing
We welcome contributions! Please see our Contributing Guide for details.
- Fork the repository
- Create a feature branch (
git checkout -b feature/amazing-feature) - Commit your changes (
git commit -m 'Add amazing feature') - Push to the branch (
git push origin feature/amazing-feature) - Open a Pull Request
Real-World Results
SecChain has successfully identified real vulnerabilities in popular packages:
lodash@4.17.15
PACKAGE VERSION ECOSYSTEM SEVERITY LAYER REASON
lodash 4.17.15 node LOW CVE CVE GHSA-29mw-wpgm-hmr9: Regular Expression Den...
lodash 4.17.15 node LOW CVE CVE GHSA-35jh-r3h4-6jhm: Command Injection in l...
lodash 4.17.15 node LOW CVE CVE GHSA-f23m-r3pf-42rh: lodash vulnerable to P...
lodash 4.17.15 node LOW CVE CVE GHSA-p6mc-m468-83gw: Prototype Pollution in...
express@4.18.2
{
"Package": "express",
"Version": "4.18.2",
"Ecosystem": "node",
"Findings": [
{
"Layer": "CVE",
"Severity": "LOW",
"Reason": "CVE GHSA-qw6h-vgh9-j6wx: express vulnerable to XSS via response.redirect()"
}
]
}
π Security
SecChain takes security seriously:
- β Never writes package contents to host filesystem
- β Uses isolated Docker containers for scanning
- β Validates all user input and package metadata
- β Operates with minimal required permissions
- β Follows principle of least privilege
For security issues, please email security@secchain.dev instead of using public issues.
License
This project is licensed under the GNU General Public License v3.0 - see the LICENSE file for details.
π Acknowledgments
- OSV.dev - Open Source Vulnerability database
- Cobra - CLI framework
- Docker - Container platform
- YARA - Pattern matching framework
- ClamAV - Antivirus engine
π Support
- π Report Bugs
- π‘ Request Features
- π¬ Discussions
- π§ Email Support
π‘οΈ SecChain - Protect your chain
Documentation
ΒΆ
There is no documentation for this package.
Source Files
Directories
Click to show internal directories.
Click to hide internal directories.